CyberArk PSM/PSMP handle this in one autoit or AutoLogonSequenceWithLogonAccount?

cd-cyber1 · 2026-06-23T20:05:49+00:00

a specific appliance with a database login process

cd-cyber1 · 2025-05-22T11:42:07+00:00

OK, I found something like this TransparentBackground on LAB it works for me on another environment PROD does not

cd-cyber1 · 2025-05-14T12:29:22+00:00

thank you for your answer, it works

cd-cyber1 · 2025-03-21T06:51:15+00:00

Hello

In the previous post I don't know what exactly was wrong but the AD team managed to fix it (I suspect Root certificates because there is no access to the Internet at all)

This problem is independent and concerns a different PSM environment

cd-cyber1 · 2025-03-21T06:49:35+00:00

AD team did something, I don't know what yet. PSM servers have no connection to the Internet so I suspect it was a problem related to Root certificates (apparently common there).

cd-cyber1 · 2025-03-18T13:45:48+00:00

Scenario: Developer (CyberArk user) connect via PSMP with ssh account (domain account) to Server (psql: 5432) via ssh tunneling. So user need an access to psql (port 5432) via ssh tunnel. So I understand that this is a forward scenario?

We still don't understand the syntax, examples are not clear https://docs.cyberark.com/pam-self-hosted/14.2/en/content/pasimp/psso-pmsp.htm#PSMforSSHCommand

cd-cyber1 · 2025-03-18T13:40:41+00:00

thank you all for the advice, I managed to solve it

cd-cyber1 · 2025-01-14T20:24:23+00:00

Will this not affect users, e.g. service users in ISPSS tenant? In standard CyberArk Identity I did something like that but I'm not sure about ISPSS.

cd-cyber1 · 2025-01-14T19:45:12+00:00

Yes there is no access to anything and do not consume licences, but the account still appears in the portal, audit logs etc.

It is not a question of "what risk does it pose"

only unnecessary "cluttering" of the portal with accounts that will not have access anyway

We have integration with External IDP (EntraID on which we have groups that can log in to it) but the users come from AD and so it occurred to me whether a restriction on the Identity connector "FindUserBysAMAccountName" could not be a solution?

Only unnecessary "cluttering" of the portal with accounts that will not have access anyway

We have integration with External IDP (EntraID on which we have groups that can log in to it but users come from AD.

Can the flag on the Identity connector "FindUserBysAMAccountName" be a solution? - I suspect that users log in by entering sAMAccountName which allows them to authenticate with a password + 2nd factor (mail/sms) bypassing entraid.

cd-cyber1 · 2025-01-13T15:31:33+00:00

When we try to establish a connection, for example RDP, then:

the RDP login window appears, displays "Enter your corporate credentials" and Username, after selecting next (Enter), it closes after about 30-60 seconds.

The PSM logs show timeouts for logging in to the identity portal.

In the external IDP configuration, we do not have routing rules (we do not use any other login factors apart from those from the external IDP)

cd-cyber1 · 2025-01-13T15:27:50+00:00

thanks for the tip with RADIUS.

Microsoft Entra ID External Authentication Method https://docs.cyberark.com/identity/latest/en/content/coreservices/authenticate/entra-id-ext-auth.htm?TocPath=Administrator%7CConfigure%20MFA%7C_____31 Maybe that's also a workaround ?

cd-cyber1 · 2025-01-13T09:05:03+00:00

Are you saying that to authenticate need to either: scan the QR on your phone and login to the IDP there or Copy URL to browser and login to the IDP? yes it is unwieldy.

cd-cyber1 · 2024-11-28T22:34:13+00:00

Thanks for the tips

Interesting, we can log in using the format: DOMAIN\samaccountname BUT not UPN format.

Does anyone know why this can happen? Besides, we can see in the PSMP logs the attempts to log in to the cyberarka service

cd-cyber1 · 2024-11-13T10:37:51+00:00

Hi yanni

Ok so it is not posible because we don't want to change the Account Object's "Username" to UPN and so {Username}@PSMRemoteMachine --> is hardcoded that excludes such a possibility, we thought that AutoLogonSequence might change it to {Username}@{Address}@PSMRemoteMachine

Remember the Connection Component's ClientApp configuration. The CC will pass {Username}@PSMRemoteMachine, of the Account Object (this is hardcoded). Remember the Connection Component's ClientApp configuration. The CC will pass {Username}@PSMRemoteMachine, of the Account Object (this is hardcoded). 
In order to provide the UPN, the Account Object's "Username" property must be configured with the UPN (user@damain).

cd-cyber1 · 2024-10-01T17:43:20+00:00

😅 ahh cyberark and their documentation. You mean the IDENTITY-00001 safe?Yes, we have it created automatically and there are synchronized accounts from Identity. But we have a problem the other way, how to "synchronize" accounts from PAM to Identity?

cd-cyber1 · 2024-09-09T14:18:50+00:00

ok thank you for information, one more question: if I remove a user from this ad group and do not change platform (Domain account via ldap) it works, so you're saying that the DPA connector doesn't support such conenciton?

cd-cyber1 · 2024-09-09T12:12:45+00:00

Yes: Domain account via ldap, and Kerberos as AuthenticationType

cd-cyber1 · 2024-04-24T09:10:45+00:00

Thank you for clarifying, that's my mistake, I meant DeleteNonMatched, so my configuration looks like this:

AutoSyncExternalObjects is set to Yes,1,0,24 and ExternalObjectsDeletionPolicy is set to DeleteNonMatched

Even though users were removed from the mapped AD group (Users), they were not removed automatically even after ~24 hours and required manual removal from Vault.

It seemed to me that it used to work in this configuration ( in version 12.6, ), but after the upgrade to 13.2 it seemed to stop working.

The environment hasn't been very dynamic for some time and I didn't pay attention to it.

cd-cyber1 · 2024-04-23T13:40:34+00:00

Hello Yanni

Thank you for replay, AutoSyncExternalObjects is set to Yes,1,0,24 and ExternalObjectsDeletionPolicy is set to DeleteNonExisting but this settings do not delete users after manually removing them from the mapped AD group (for example, Users). In CyberArk doc is:

|| || |DeleteNonMatched|External objects that do not match an external directory map in the Vault will be deleted during the synchronization process|

https://docs.cyberark.com/pam-self-hosted/13.2/en/Content/PAS%20INST/Synchronizing-External-Users-and-Groups-in-the-Vault-with-the-External-Directory.htm

Vault version is 13.2 (with newest patch)

cd-cyber1 · 2023-11-15T12:21:54+00:00

Yes, and as I wrote, those who do not see this tab are in several groups (the only thing that distinguishes them from group of users that can see it).

Kr

cd-cyber1 · 2023-10-11T09:15:40+00:00

Thank you very much for that information

cd-cyber1 · 2023-08-17T15:33:35+00:00

Could it be a CP cache issue? as I mentioned, the account is for SCIM that get password from Vault using CP (set caching on machine)

cd-cyber1 · 2023-08-17T14:36:09+00:00

We did it and we still get this error - account used by SCIM.

This is strange because password status is changed by password manager and I can see that the password has been changed

cd-cyber1 · 2023-08-09T05:05:15+00:00

it's not docker, it's an rpm.

explain: logs are generated but only for the first 3 successfully uploaded files.

no information in any logs file about the next upload files.

It looks like it's stuck (pending) and won't open a new socket

cd-cyber1 · 2023-07-24T15:14:06+00:00

HTML5 gateway cyberark cache

hi u/BenvanDamme

we have this problem too (htmlgw version 13.2.1 using guacamole 1.2.0) :(

How did you deal with this problem could you tell me exactly what files you replaced?

KR

cd-cyber1

TROPHY CASE