• Blog
  • Webinars
  • Partner
  • Support
  • Contact
ScriptRunner
  • About us
    • Team
    • Jobs
    • Press
  • Why
  • Use Cases
  • Software
    • ScriptRunner Server
    • ScriptRunner Portal
    • ScriptRunner Portal Widget
    • ScriptRunner Connectors
    • ScriptRunner ActionPacks
  • Try Now
  • Search
  • Menu Menu
You are here: Home1 / ScriptRunner Blog2 / Automation3 / Manage PowerShell credentials with Pleasant password server

Manage credentials securely with password servers – Integration of ScriptRunner and Pleasant

Author: Daniel Finkenzeller, Consultant | Reading time: 3 minutes | Category: Automation, PowerShell & Systems

Introduction

Since version 2018R3 ScriptRunner can also request the credentials to run PowerShell from password servers. This is especially useful in an enterprise environment and increases security when using PowerShell.

  • Introduction
  • Example: Pleasant Password Server
  • ScriptRunner and Password Server
  • Password Server Connector
  • Usage
  • Conclusion

Most password servers are designed so that systems (if they do not support Managed Service Accounts) are set up so that the password server changes the password in Active Directory. Subsequently, the service under which the account runs will also be set up. Of course, this is only an auxiliary solution, but it is still today’s way for many systems.

Therefore, many ScriptRunner customers asked for the integration of password servers. Starting from the version ScriptRunner 2018R3 this wish was realized. I had such a customer and therefore took a closer look at this new feature. Of course, I was particularly interested in the user administration and the structure of the connectors.

But let’s start with the simple part. First we take a look at the password server to understand what exactly is possible with it.

Example: Pleasant Password Server

As an example I have looked at the Pleasant password server. ScriptRunner also supports the password servers of CyberArk and Thycotic.

The more complicated a password is, the more secure it is, but also more difficult to remember. Many companies therefore use tools such as KeePass, in which all passwords are stored. Here you only have to remember the master password. Alternatively, a password-protected Excel file with the passwords can be found on a network drive – all in all not really nice, and also not very secure. A password server is a great solution for storing passwords securely, encrypted and centrally. But one should still play through the thought from beginning to end. A password server is not really secure as long as the local admin has full access to  the database, is authorized in the application and the password of the local admin is „Admin1234” as well.

Pleasant has developed a password server for this purpose. This server is used by many companies and integrates perfectly into KeePass.

ScriptRunner and Password Server

By default, ScriptRunner supports the local Windows Credential Manager for storing the necessary passwords. The disadvantage of using Credential Manager is that the passwords are stored locally on the machine and cannot be shared. Therefore, only the user under whom the passwords are created can see and administer them.

This means that once the user under whose account the credentials were stored has been compromised, the attacker has access to the passwords stored under this user.

This is exactly why the support of password servers in ScriptRunner is so important, because ScriptRunner is the hub for administrative tasks in many companies. Password sharing is a common scenario as well, because to test a function you often want to test the user under which the action is executed. In addition, for security reasons it is mandatory for many companies to change passwords at regular intervals. A manual postprocessing in connection with ScriptRunner should be avoided.

Explanation: Communication ScriptRunner – Password Server

The communication between ScriptRunner and Pleasant runs in the following 4 steps:

  1. A user/admin starts an action through the ScriptRunner web interface
  2. ScriptRunner recognizes that the action is executed by an account managed by a password server and asks for the password.
  3. The password server returns the password to ScriptRunner.
  4. ScriptRunner executes the action with the managed user.

ScriptRunner-Architektur, Passwort-Server, Kommunikation

Password Server Connector

In order to accomplish this task, a new type of connector has been available since version 2018R3 – the Password Server Connector. Currently, we have three manufacturers in our product range: Pleasant, CyberArk and Thycotic. The inclusion of further password servers is planned.

Step-by-step: How to Set Up the Password Server Connector

In order to connect a password server to ScriptRunner, the password server connector must first be set up. This is done with PowerShell on the ScriptRunner host.

With “Get-ASRPasswordServerConnector” the current configuration can be queried.

Get-ASR-PasswortServerConnector, PowerShell Script

Configuration

To set up a new connector, you can use the Set-ASRPasswordServerConnector cmdlet.

!Attention – this will restart the service!

Setting up a password server connector

Setting up a password server connector


ScriptRunner Admin App, Passwort Server

View in the ScriptRunner AdminApp

Usage

If the password server is set up successfully, credentials of the password server can be used. For this purpose, the ID from the direct link must be used for Pleasant.

Pleasant Passwort Server

Entry in Pleasant

Testing the configuration

To test the correct installation and configuration of the password server, I created a small action in ScriptRunner.

ScriptRunner Admin App, Credential

Creation of a credential in ScriptRunner

First, a credential is created in the action to connect to a user and password. The password server was used and the ID from the direct link was entered. This ID must be unique.

After creating the credential, a target is created for which the credentials are used.

ScriptRunner Admin App, Target

Creation of a target in ScriptRunner

When creating the credential, the only difference compared to the system without a password server is that I put the account right behind the credential.

Anlage eines Scripts für eine Action

Creating a script for an action

For testing purposes, I created an action to view account information from the Active Directory.

ScriptRunner Action, Admin App

Creating an Action in ScriptRunner


ScriptRunner, Admin App, Target

Select a target in the Action

If the communication between password server and ScriptRunner works, the action can be executed. There is no difference in time. But here there are dependencies concerning the configuration of the password server and the infrastructure.

Report ScriptRunner I, PowerShell

Report I


ScriptRunner Report, PowerShell

Report II

Conclusion

This was a short introduction to the password server connector of ScriptRunner in connection with Pleasant.

Have fun with this feature and happy automation 🙂

Share this article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail

These articles might also be interesting for you:

Article: How to Establish Simple Server Monitoring via PowerShell, by Adam BertramScriptRunner Software GmbH

How to Establish Simple Server Monitoring via PowerShell

20. January 2021
Read more
https://www.scriptrunner.com/wp-content/uploads/2021/01/PowerShell-monitoring.png 1000 1000 Adam Bertram https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Adam Bertram2021-01-20 09:29:522021-03-31 11:49:30How to Establish Simple Server Monitoring via PowerShell
Article: Parameter Validation Concepts in Powershell and ScriptRunner - Bruno BuyckScriptRunner Software GmbH

Parameter Validation

26. August 2020
Read more
https://www.scriptrunner.com/wp-content/uploads/2020/08/Featured-image-Parameter-Validation-concepts.jpg 441 441 Bruno Buyck https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Bruno Buyck2020-08-26 10:00:102021-01-07 17:13:03Parameter Validation
Webinar: Centralize PowerShell management easily and securely

Manage PowerShell centrally: How to do it in 5 steps

2. June 2019
Read more
https://www.scriptrunner.com/wp-content/uploads/2019/05/Zentralisierung1zu1-t.jpg 500 500 Heiko Brenn, Head of International Business https://www.scriptrunner.com/wp-content/uploads/2018/05/ScriptRunner_Logo_RGB-300x45.png Heiko Brenn, Head of International Business2019-06-02 21:00:492021-01-14 14:35:27Manage PowerShell centrally: How to do it in 5 steps

About the author:

Daniel Finkenzeller, Author
Daniel Finkenzeller, Consultant

Daniel Finkenzeller is consultant at AppSphere AG and guest author on the ScriptRunner Tech-Blog.

Latest posts:

  • Article: PowerShell PSDefaultParameterValuesScriptRunner Software GmbHPowerShell PSDefaultParameterValues24. March 2021 - 14:10
  • Article: ScriptRunner is sponsoring the PowerShell + DevOps Global Summit 2021ScriptRunner Software GmbHScriptRunner is sponsoring the PowerShell + DevOps Global Summit 202119. March 2021 - 10:00
  • ScriptRunner ActionPack for CitrixScriptRunner Software GmbHScriptRunner ActionPack for Citrix11. March 2021 - 13:02
  • Artikelbild:ScriptRunner Software GmbH5 PowerShell Scripting Best Practices – From Runnable to Professional Code10. March 2021 - 10:00
  • Artikelbild: Vorschau auf das Produktjahr 2021ScriptRunner Software GmbHPreview of the product year 20219. March 2021 - 10:00

Product

  • ScriptRunner Platform
  • ScriptRunner Server
  • ScriptRunner Portal
  • ScriptRunner Portal Widget
  • ScriptRunner Apps
  • ScriptRunner Connectors
  • Script Collections
  • Licensing
Get your free trial

Solutions

  • IT Administrators
  • IT Team Leaders
  • Use Cases

Resources

  • Blog
  • Documentation
  • Knowledge Base
  • Webinars
  • PowerShell Lexicon
  • PowerShell Poster
  • PowerShell Security Ebook

Company

  • About us
  • Team
  • Jobs
  • Press
  • References
  • Partner

Contact

ScriptRunner Software GmbH
Ludwig-Erhard-Straße 2
76275 Ettlingen
Germany

T: +49 7243 20715-0
M: info(at)scriptrunner.com

Request Demo
© ScriptRunner Software GmbH is a subsidiary of AppSphere AG
  • LinkedIn
  • Xing
  • Twitter
  • Facebook
  • Youtube
  • Imprint
  • Privacy Policy
  • Newsletter
Understanding PowerShell PowerShellVerstehen PowerShell Scripts Automation Using PowerShell Scripts for Automation
Scroll to top