Unable to get CyberArk credentials

Christine24 · ‎02-20-2020

We are setting up Discovery and using CyberArk in order to pass credentials. I finished setting up the MID server and followed the guide to configure the CyberArk integration, but when I test the credentials I keep getting Authentication Failed. When looking in the logs, it appears it's passing the username for the Safe as an object. I think this is the reason it keeps failing. Has anyone run into this before and know how to fix it?

chuckm · ‎02-21-2020

Christine,

Are you seeing "successfully fetched password" in the CyberArk APPAudit log? If not, then I suggest re-checking the parameters you are entering in the Credential ID field and the CyberArk parameters in the Config.xml file. The Credential ID field has multiple formats for referencing the CyberArk safe: <credential ID>, <safe>:<credential ID>:<platform ID>, <safe>:<credential ID>, <safe>:, ::<platform ID>, or blank. The config.xml file has 2 required parameters and multiple optional parameters. They have to be set correctly for the integration to work.

To walk through an example, if you choose the <safe>:<credential ID> format for the Credential ID field (on the ServiceNow credential form), then only the required parameters (ext.cred.use_cyberark and ext.cred.safe_folder) are configured in the config.xml file.

ServiceNow Credential Form

For the <safe>:<credential ID> format, the <safe> is the value of the Safe attribute in the CyberArk Account (AWSDISCOVERY in this example). The <credential ID> is the value of the Name attribute in the CyberArk Account (Operating System-AWSDISCOVERY-compute.amazonaws.com-Administrator in this example).
Note: The Credential ID attribute was limited to 40 characters prior to New York, but has since been extended to 180 characters to accommodate larger values from CyberArk.

CyberArk Account Details

Config.xml

CyberArk APPAudit Log

This entry from the CyberArk APPAudit log represents one successful credential retrieval from the CyberArk Safe (AWSDISCOVERY) - where both the username (Administrator) and password are retrieved.

Christine24 · ‎02-22-2020

Yes, I have followed the instructions and set it up like stated above but it's still not working. When checking the log, it shows that it is failing and it looks like it thinks credential ID is an object being passed through.

Ashutosh Munot1 · ‎02-23-2020

Hi,

I think i can help you on this.

1) Check if you have added the APP-ID to the safe as a member.

2) You need CyberArk priviledge account to be also added to this Safe as a member with proper rights. This user should be their if not then create it, check the format as prov_MIDSERVERNAME. He need proper rights to allow APPI-ID to read credentials.

Basically this means prov_MIDSERVERNAME is a credential provide and APP-ID is consumer of the credentials. I think this is what we call as web pool.

Check this and let me know.

Thanks,
Ashutosh

chuckm · ‎02-23-2020

Adding to Ashutosh Munot:

#1) The App-ID is called ServiceNow_MID_Server. It must be created in CyberArk and be added to the safe.
#2) The AAM user (prov_<Provider machine name> where the Provider machine name is the name of the MID Server) is created during the installation of the AIM client software by default*. The AAM user enables the Central Credential Provider to authenticate to the Vault and retrieve passwords. As with the ServiceNow_MID_Server App-ID, the prov_<Provider machine name> also needs to be added to the safe.

*When the AAM user (prov_<Provider machine name>) is created, it only has the following authorizations to the Vault:

Audit Users
Add Safes

You have to manually make it the owner of the Password Safes that it will have access to for retrieving passwords for the integration to work.