Integrating PAM360 with ManageEngine ADManager Plus
This document discusses the process of integrating PAM360 with ManageEngine ADManager Plus (ADMP). At the end of this document, you will have learned the following:
- Key benefits of Integration
- How does the Integration Work?
- Prerequisites for Performing the Integration
- Steps to Configure the Integration
- Steps to Map Accounts to ADManager Plus Security Groups
- Associating Domain Accounts in ADMP with PAM360
- Troubleshooting Tips
1. Key Benefits of Integration
ManageEngine PAM360 integrates with ManageEngine ADManager Plus, a management and reporting solution that allows IT Administrators and Technicians to manage Active Directory objects and groups and generate reports.
The PAM360-ADManager Plus integration allows you to perform timely elevation and delegation of domain users in the Active Directory (AD) security groups through the ADManager Plus server. By leveraging the ADManager Plus integration, enforce access control for PAM360 users on domain accounts and provide just-in-time privilege elevation for the domain accounts . You can also add and remove accounts from the AD security groups right from the PAM360 interface. Once the integration is complete, all the security groups from the active directory server will be available in PAM360.
In addition, ADManager Plus leverages PAM360 to manage its domain accounts password, particularly for privileged accounts. Previously, when a password rotation for a domain account was performed via PAM360, the same password had to be manually updated in ADMP for seamless access continuity. Without this update, ADMP would retain the old password, restricting AD users from performing tasks such as password resets, account unlocks, and more, potentially increasing help desk calls.
From build 7300 onwards, the domain account details in ADMP can be associated with the same in PAM360. As a result, whenever the domain account password is rotated via PAM360, the updated password from PAM360 gets automatically synchronized with the associated domain account in ADMP.
Read more about AD groups management in ADManager Plus here.
2. How does the Integration Work?
PAM360 sources data from ADManager Plus via its API and using the server details of ADManager Plus. The AD security groups listed in ADManager Plus will be consolidated and listed in PAM360. The AD domain users imported into PAM360 can be given controlled access to the security groups populated from ADManager Plus.
3. Prerequisites for Performing the Integration
Before commencing the integration, verify if all of the below prerequisites are satisfied:
- PAM360 supports connection via HTTPS only, hence it is mandatory to import a valid SSL certificate in the server. Follow the steps given below to import a certificate in the server:
- The common name of the certificate must match the host name of the active ADMP server.
- At least one authorized admin in PAM360 must be a valid technician in ADMP.
4. Steps to Configure the Integration
You can perform all the configurations related to the PAM360-ADManager Plus integration from the PAM360 portal. To configure the integration, provide the host name and port details of the machine where ADManager Plus is installed. Once you have entered all the required details and saved the configuration, PAM360 will try to set up a connection with ADManager Plus. After the successful connection, the domain details will be retrieved from ADManager Plus and saved in the PAM360 database, and the integration will be established.
- Navigate to Admin >> Integration >> ManageEngine. You will see a consolidated view of all ManageEngine products integrated with PAM360.
- In the page displayed, you will see the ADManager Plus block with any of the below options based on whether you have disabled or enabled the integration, respectively:
Note: Only the users with the ManageEngine Integration role will see the ManageEngine option under Integration.
Buttons and Definitions:
| Sl. No: | Button | Definition |
|---|---|---|
1 |
Enable |
You will see this option if the integration is disabled. Click this button to enter required details of the ADManager Plus server and enable integration. |
2 |
Edit |
You will see this option if the integration is enabled. Click this button to update the ADManager Plus host name and port details. |
3 |
Disable |
You will see this option if the integration is enabled. Click this button to disable the integration. |
- Click Enable and configure the following details:
- Enter the ADManager Plus host name.
- Enter the port of the ADManager Plus server.
- Click Enable to save the settings.
- Now, access the ADManager Plus web console, navigate to Admin >> Integrations >> PAM360, and enter PAM360 Hostname and Port in the required fields.
- Enable the checkbox Enable tight integration with PAM360 and click the Test Connection and Save button to verify the connection and save the settings.
The PAM360 - ADManager Plus integration is enabled now. Proceed with mapping of domain accounts to the AD security groups.
5. Steps to Map Accounts to ADManager Plus Security Groups
Prerequisite:
Import an Active Directory user into PAM360 (if not already available) and enable administrator privileges for this user. Ensure the imported user is also a valid technician in ADManager Plus to delegate the required tasks.
Once the PAM360-ADManager Plus integration is complete, follow the below steps to perform policy configuration. The Policy Configuration option lets you elevate domain accounts to security groups just in time (AD security groups already exist in the Domain Controller and by extension, in the ADManager Plus also).
- Navigate to Resources >> Add Resource to add the AD Domain Controller as a resource in PAM360.
- Click Resource Actions beside the required resource and click Configure Access Control.
- In the Approval Administrators tab, ensure that at least one of the Authorized Administrators listed here is a valid technician in ADManager Plus also. This is to facilitate approval of access requests to the selected resource(s) once the policy configuration changes are applied.
- In the Policy Configuration tab, click Select to list all the AD groups available in ADManager Plus.
- Choose the groups to which you want to add the resource to and click Save. You can view the chosen groups under the Selected Groups box.
- Select the Elevate accounts to the security groups option and click Save and Activate.
Now when the resource is shared to a user with Password User/Password Auditor capabilities, they can request for password access or elevation. This request can be approved/rejected by any admin in the Authorized Administrator list as long as their user role satisfies the following criteria:
- The user designated to perform privilege elevation must have an Administrator role in PAM360 (i.e., any one of the following user roles: Privileged Administrator, Administrator, and Password Administrator), and in ADManager Plus, they must have a user role with any of the following permissions: modify users and modify groups. However, the users who receive privilege elevation in PAM360 need not have any special permissions in ADManager Plus. Click here to learn more about user roles in PAM360.
Important Notes:
- Direct changes made to the group configuration in ADManager Plus will override the changes made in PAM360.
Example:
- A domain account is elevated to the System Admin security group through PAM360 policy configuration.
- A user connects to a shared server using the domain account.
- Through the defined access control and policy configuration in PAM360, the normal domain account is automatically elevated just-in-time to the security group System Admin and gets assigned with the required privilege.
- However, during this time, if the domain account elevation is removed from the security group in ADManager Plus, then the privilege will be removed in PAM360 immediately.
- To perform the Group Membership Automation operations in this integration, you must be using the Professional edition of ADManager Plus, as the Group Automation functionality is supported only in that edition.
6. Associating Domain Accounts in ADMP with PAM360
(Applicable from build 7300 and above only)
Associating domain accounts in ADMP with PAM360 ensures seamless password synchronization. When a password rotation occurs in PAM360, it automatically updates the corresponding password in ADMP.
To associate the domain account details, follow these steps:
- Navigate to the Resources tab, click the Resource Actions dropdown beside the desired Windows Domain resource, and select Associate followed by ADManager Plus.
- In the window that appears, click the Fetch button to import the domain name from ADMP.
- Select the domain details, i.e., Domain Name and Account Name, which are to be associated from the respective dropdown.
- The Domain Account Name in PAM360 will be automatically selected based on the Domain Account Name selected in ADMP.
- An alert message will be prompted when a mismatch in the ADMP-PAM360 domain account details is suspected. Verify if you have associated the correct domain account details of ADMP in PAM360. Only then the automatic synchronization of domain account password will occur with the right domain account in ADMP.
Note: This option is only applicable for Windows Domain resources and with an active ADMP integration.
Notes:
Upon associating the ADMP domain account details in PAM360, the automatic synchronization of the domain account password will occur when the remote password reset is executed from PAM360.
7. Troubleshooting Tips
- Check if the certificates are properly imported.
- Check the connectivity between the two machines; connectivity should be bi-directional.
- If the groups are not displayed under Access Control >> Policy Configuration, check for the domain name field in PAM360 Windows Domain Controller resource.