Jump to content

All Activity

This stream auto-updates

  1. Today
  2. +1 In our instance we have about 1000 passwords we'd like to reset on the same day. Currently you can only schedule X days or X months - which means over time 'drift' occurs. Being able to say reset on the 1st of every month, would stop the drift from occurring; along with an option to 'reset on the next scheduled reset' in the event of a failed reset. (IE: Rather than try again the following day, wait until the next schedule occurs).
  3. Hello Everyone, Today we have released build 9866. For full details, please refer to our changelog here https://www.clickstudios.com.au/passwordstate-changelog.aspx Regards Click Studios
  4. Issue: one or more users logs into Passwordstate, and they notice a long delay for the initial webpage to render. You many notice this delay of up to 30 seconds or more before all the folder and Password Lists are displayed. Cause: Each folder of Password List you see in the navigation tree requires a small bit of HTML to render. The more Folders and Password Lists requires more HTML, and with thousands of these objects, your browser could be rendering 10 to 20 megabytes of data each time you log in. Fix: For an affected user, get them to go to their Personal Preferences page, and enable Load On Demand. Log out and log back in again, and the performance of their initial load times should increase drastically: Apply Load on Demand to All Users: It's possible to use a User Account Policy to force some, or all users to use Load on Demand. If you have not used the User Account Policy feature before, this blog post explains what they are, and how to set them up: https://blog.clickstudios.com.au/develop-user-account-policies/ In your User Account Policy, setting #A11 is where you enable Load on Demand: Regards, Support
  5. Yesterday
  6. Hi all, My company is an MSP and uses PasswordState. We are moving many of our customer environments to Microsoft Azure. Customer VMs in Azure are accessed using RDP via an Azure Bastion host. I wanted to know if PasswordState supports the launching of RDP sessions to VMs hosted in Azure that must be accessed via an Azure Bastion service? I have searched the Internet and these forums and have not had a single hit on "PasswordState" with "Azure Bastion". I do see other vendors updating their products to support RDP connections via Bastion (e.g. RoyalTS just did this). The authentication scenarios would look like this: 1. Our engineers log into PasswordState using their in-house Active Directory accounts that we manage. 2. The engineer would launch an RDP session to a VM via Azure Bastion. The connection address would have to include the full path to resource in Azure. This could either be a Bastion shareable link which would look something like the following (both links are samples/obfuscated): https://bst-e5347507-0e14-42b3-971f-07058357fcbe.bastion.azure.com/api/shareable-url/70eac15e-b29b-4755-907b-b945213845a3 This will hit a logon web page like the following: Or, using the Azure Resource ID like the following: /subscriptions/2e5152ee-237e-44c6-b00a-682bff10711c/resourceGroups/ABC-RG-UK-MYRESGROUP/providers/Microsoft.Compute/virtualMachines/AMD-BKO-UKS-1 The latter is the method that RoyalTS now uses to specify the remote host. They use the Azure CLI Bastion extension to create the remote connection. 3. [Edited] The challenge as I see it is in being able to pass two sets of authentication credentials to Bastion to be able to log on, which will be required for some scenarios (see below). This is similar to how Terminal Server Gateway works - you need to authenticate to both the Bastion service (gateway), and to the target VM that you wish to logon to). In some scenarios, these credentials would have to come from two accounts: one with the privileges required to access Azure Bastion and the other to logon to the VM. PasswordState would have to be able to store and pass both. For reference, Bastion requires that the connecting user has the following Azure RBAC roles: Reader role on the virtual machine object. Reader role on the NIC with private IP of the virtual machine. Reader role on the Azure Bastion resource. Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network). Ref: Are any roles required to access a virtual machine? Logging on the VM itself would require one or two sets of credentials depending on how the VM is configured. Here are the scenarios I can think of: 1) The VM is Entra ID-joined. If this method is used, the account used to authenticate to Bastion could also be used to logon to the VM. In addition to the Entra ID RBAC roles given above, the account would also require the VM Admin Login or VM Login RBAC role. This would be the least common scenario for us. 2) The VM is joined to an AD DS domain. In this scenario, separate account credentials would have to be presented to authenticate: an Entra ID account (for Bastion) and then the AD DS domain account (for the VM). This would be very common for us. 3) The VM is in a local Windows Workgroup configuration. In this scenario, separate account credentials would have to be presented to authenticate: an Entra ID account (for Bastion) and then the local Windows account (for the VM). Has anyone done this already? Is there a config guide for this? If it's possible, I guess it's the connection string clarification that I need. As I say - I haven't found anything on the web around this config. Many thanks in advance, Garry
  7. Hello, We are in the process of setting up the connection to the servers via RDP. We are experiencing a problem when trying to connect. PasswordStats changes username to hostname\username. After analyzing the PSLaucher.ps1 file I found the block that was causing the problem. How can we deactivate it, knowing that every time I modify this file the RDP session no longer starts? if($UserName -like '*.\*' -or $AccountType -eq 'Windows') { #User account in this space is a local Windows Account, and is not supported to work with a Remote Desktop Gateway. Therefore, no need to set a Windows Credential for this type of account $NewUserName = $HostName + '\' + $UserName.replace('.\', '') #add generic credential (TERMSRV) cmdkey /generic:TERMSRV/$HostName /user:$NewUserName /pass:"""$Password""" } else { #In this block, we are using a domain account, so if user is passing Remote Gateway commands to the session, we will add a Windows Credential **Gateway requires a Windows Credential to be passed, not a TERMSRV (generic) credential** if ($rdGatewayAddr) #this IF statement checks the variable has any value other then null { #add Windows Credential cmdkey /add:$rdGatewayAddr /user:$UserName /pass:"""$Password""" } #add generic credential (TERMSRV) cmdkey /generic:TERMSRV/$HostName /user:$UserName /pass:"""$Password""" } Thanks
  8. +1 For change control, we have to document everything within the administration tab. Currently we have a custom spreadsheet with screenshots of every setting (and their sub settings such as permissions applied to list templates!) massive time sink. A way to compile this information either by report or API calls or database queries would be amazing.
  9. +1 Need this. Also a way to manage host folders from administration tab.
  10. +1; but this probably makes more sense as both a password list template option and user account policy option.
  11. What we do is run the script as a service account (Passwordstate automatically updates the password every XX days); with the Sys Wide API key being a user environment variable in the service account context. the script sets and API variable to that of the environment variable. Doesn’t get captured in logging, doesn’t get committed to Git. no one knows the key except security administrator(s) with the required security role, no one can see the key without knowing the service account password.
  12. +1 We’re also encountering a situation where we need the API to return nested object IDs. folders to return password list ids password lists to return password ids With nested object IDs being returned we could then use loops to process those returned objects. Having to maintain a list of specific password IDs to target with a script is time consuming.
  13. Hello Charlene, With the Red arrow Note on that screen you provided, can you ask your Passwordstate Security Administrators if they have hidden this menu? Regards Click Studios
  14. Last week
  15. Hello, I would like to have the possibility of giving access to code TOTP to users but not to give access to the configuration of code TOTP to everyone. Configuration and access to the TOTP code configuration should be reserved for specific users or groups. Thanks
  16. Hi, We need to find out the mostly Retrieved or Viewed (like top 10 or 20) passwords from last three months. There doesn't seem to be report for it and I was about to write SQL script to get the info from the database but decided to still ask if there's some other way to accomplish this? - Jussi
  17. We disabled the mobile access by default. On shared password lists it can be activated under permissions. But the users can not activate mobile access for their private password lists. It needs to be done under central administration for every passwordlist by an Administrator. Users should be able to activate mobile access for their private password lists by themself. Thank you.
  18. Hello, i want to know if there is more documentation about the API topic. The only thing i found is this Passwords > Passwords Menu > Passwords Home > Password Lists > List Administrator Actions > Edit Password List Properties > API Key & Settings Tab Under the help menu, is the topic 11. Web API Documentation listed, but i cant find it.
  1. Load more activity
×
×
  • Create New...