Log Into Endpoints Using Credential Injection

When accessing a Windows-based Jump Item via the privileged web access console, you can use credentials from a credential store to log into the endpoint or to run applications as an admin.

Before using credential injection, make sure that you have a credential store or password vault available to connect to Bomgar Privileged Access.

Note: Don't have a password vault? Learn more about Bomgar Vault at https://www.bomgar.com/vault.

Install and Configure the Endpoint Credential Manager

Before you can begin accessing Jump Items using credential injection, you must download, install, and configure the Bomgar Endpoint Credential Manager (ECM). The Bomgar ECM allows you to quickly configure your connection to a credential store, such as a password vault.

Note: The ECM must be installed on your system to enable the Bomgar ECM Service and to use credential injection in Bomgar Privileged Access.

System Requirements

  • Windows Vista or newer, 64-bit only
  • .NET 4.5 or newer

Note: When installing the Endpoint Credential Manager for use with Bomgar Vault, we recommend installing it on a machine with a static IP address to avoid potential issues with Vault's IP whitelisting for the API.

  1. To begin, download the Bomgar Endpoint Credential Manager (ECM) from Bomgar Support . Start the Bomgar Endpoint Credential Manager Setup Wizard.

    Bomgar ECM EULA

  2. Agree to the EULA terms and conditions. Mark the checkbox if you agree, and click Install.

    Note: You are not allowed to proceed with the installation unless you agree to the EULA.

    If you need modify the ECM installation path, click the Options button to customize the installation location.

  3. Click Install.

     

  4. Bomgar ECM Destination Folder

  5. Choose a location for the credential manager and click Next.
  6. On the next screen, you can begin the installation or review any previous step.
  7.  

    ECM Installation

  8. Click Install when you are ready to begin.
  9.  

    ECM Installation Complete

  10. The installation takes a few moments. On the screen, click Finish.
  11.  

    Note: To ensure optimal up-time, administrators can install up to five ECMs on different Windows machines to communicate with the same site on the Bomgar Appliance. A list of the ECMs connected to the appliance site can be found at /login > Status > Information > ECM Clients.

    Note: When multiple ECMs are connected to a Bomgar site, the Bomgar Appliance routes requests to the ECM that has been connected to the appliance the longest.

Configure a Connection to Your Credential Store

Using the ECM Configurator, set up a connection to your credential store.

ECM Configurator exe File

  1. Locate the Bomgar ECM Configurator you just installed using the Windows Search entry field or by viewing your Start menu programs list.
  2. Run the program to begin establishing a connection.
  3.  

    ECM Configurator Interface

  4. When the ECM Configurator opens, complete the fields. All fields are required.
  5.  

    Enter the following values:
    Field Label Value
    Client ID The ID for your credential store.
    Client Secret The secret key for your credential store.
    Site The URL for your credential store instance.
    Port The server port through which the ECM connects to your site.
    Plugin Click the Choose Plugin... button to locate the plugin.

    ECM File List

  6. When you click the Choose Plugin... button, the ECM location folder opens.
  7. Paste your plugin files into the folder.
  8. Open the plugin file to begin loading.

Note: If you are connecting to a password vault, more configuration at the plugin level may be needed. Plugin requirements vary based on the credential store that is being connected.

important

To apply new settings in the configuration, restart the ECM service.

Use Credential Injection to Access Endpoints

After the credential store has been configured and a connection established, the privileged web access console can begin using credentials in the credential store to log into endpoints.

  1. Log into the privileged web access console.
  2. Jump to an endpoint with a Jump Item installed as an elevated service on a Windows machine.
  3. Click the Play button to begin screen sharing with the endpoint. If the endpoint is at the Windows login screen, the Inject Credentials button is highlighted.

WAC Inject Credentials Button

  1. Click the Inject Credentials button. A pop-up credential selection dialog appears, listing the credentials available from the ECM.

WAC ECM Credential Selection Dialog

  1. Select the appropriate credentials to use from the ECM. The system retrieves the credentials from the ECM and injects them into the Windows login screen.
  2. The user is logged in to the endpoint.