Privileged Identity | PRA
BeyondTrust's Privileged Remote Access plugin integration with Privileged Identity enables automatic password injection to authorized systems through encrypted BeyondTrust connections, removing the need to share and expose credentials to privileged accounts. In addition to the retrieval and automatic rotation of standard credentials, the integration also has the ability to retrieve shared credential lists, giving domain admins and other privileged users access to those credentials for use on the targeted systems.
Auto-rotation occurs only if configured.
The integration between BeyondTrust PRA and PI enables:
- One-click password injection and session spawning
- Credentials never exposed to authorized users of BeyondTrust
- Access to systems on or off the network with no pre-configured VPN or other routing in place
- Passwords always stored securely in the Privileged Identity server
The BeyondTrust Endpoint Credential Manager (ECM) enables the communication between Privileged Identity and Privileged Remote Access. The ECM is deployed to a hardened Windows Server inside the firewall, typically in the same network as Privileged Identity. Once the ECM is deployed, BeyondTrust users see a list of administrator-defined credentials for the endpoints they are authorized to access. A set of these credentials can be selected when challenged with a login screen during an access session, and the user is automatically logged in, having never seen the username/password combination.
Privileged Identity handles all elements of securing and managing the passwords, so policies that require the password to be rotated after use are supported with additional configuration provided by the plugin. Privileged Remote Access handles creating and managing access to the endpoint and then recording the session and controlling the level of access granted to the user, including what the user can see and do on that endpoint.
Prerequisites
To complete this integration, ensure that you have:
- the necessary software installed and configured as indicated in this guide, accounting for any network considerations. The integration is provided in the form of a plugin (ZIP archive containing the necessary DLL files and other supporting files) for use within BeyondTrust's Endpoint Credential Manager (ECM).
- acquired the proper version of the ECM to be compliant with the version of BeyondTrust Privileged Remote Access. See Configure the plugin for more information.
Applicable versions
- Privileged Remote Access: 15.x and newer
- Privileged Identity: 5.4.0 and newer
Network considerations
The following network communication channels must be open for the integration to work properly.
| Outbound From | Inbound To | TCP Port # | Purpose |
|---|---|---|---|
| ECM Server | BeyondTrust Appliance B Series | 443 | ECM calls to the BeyondTrust API. |
| ECM Server | Privileged Identity | 443 | ECM calls to Privileged Identity SDK Web Services. |
Configure Privileged Identity
The integration requires minimal setup within Privileged Identity and should work with your existing data as it stands. The two main requirements are a delegation identity that can impersonate Privileged Identity web users and the installation of the Privileged Identity SDK Web Services.
Delegation identity
- Under Delegation > Web Application Identity Impersonation Mappings, select Create Mapping.
- If an identity already