Get Credentials out of Code with Secret Server API

16 07 2013

A few years back, our engineers decided to solve a new password problem: Network credentials are not only used by people. Sometimes other programs need credentials to interact with the network too. Secret Server was already providing full audits of each user’s credential usage, why not create an API so programs could also use Secret Server for credential access?

Using scripts, Secret Server’s API allows third-party programs to access Secret Server programmatically. Secrets and Folders can be searched and retrieved, and new ones can be created. This not only provides a full audit trail of credential usage by third-party applications, but also improves security by getting credentials out of clear text within the application’s code.

Any developer can make use of Secret Server’s API for use in their scripts or to integrate with an existing software. It’s always great when companies use our APIs and share them with others. Here are a couple of examples:

Puppet Labs creates automation software for provisioning, maintaining infrastructure configurations, automating repetitive tasks and more. Steve Shipway, a Puppet Labs and Secret Server user, wrote a module for Puppet Labs that uses the Secret Server API to assist Puppet Labs’ configuration and provisioning tasks. The Secret Server API module for Puppet Labs is available online for free.

Devolutions’ Remote Desktop Manager provides a central location for managing remote connections, including Putty, RDP and Team Viewer. Through the Remote Desktop Manager integration with Secret Server, network admins can use their Windows Authentication credential to launch applications, providing greater network security.

Ready to start making your own third-party program integrations with Secret Server? Check out our KnowledgeBase for guidance.

Conventions for Naming Secrets

9 07 2013

When first adding Secrets to your Secret Server account, one of your questions might be, “What should I name my Secrets?” This is a great question and one that we recommend thinking about for any new Secret Server customer. Secret names should be descriptive, but should not reveal any sensitive data. An option for Administrators to ensure Secrets are easily identifiable in Reports and in searches is to use naming requirements. For example, UserName\DeviceName. Whatever naming convention you choose, it will simplify your experience in the long-term.

Once you create a name convention, you will want to be able to enforce the naming requirements. Secret Server can use Regex to validate a Secret name upon creation. This will ensure that Secret names will match a desired pattern. Naming patterns are assigned by Secret Template.

For this example, we’ll walk you through the steps set naming rules for a Secret Template by using the Windows Server 2008 R2 Local Admin Account Template. First, visit Administration > Secret Templates. Next, select the Windows Account and click Edit. The current Template configuration and fields will appear, and then you will want to click Change. Now, you can enter Regex. For this example, we want all Secrets using this Template to be named the following: admin\computername-PC

To enforce our chosen naming pattern we will use the following Regex: ^admin\\\w+-PC$

Now you can set the Error Message that will appear when users attempt to create a Secret using a name that does not match your chosen pattern. In this case, we’ll have the error message say “Secret Name must be admin\computerName-PC”



Get every new post delivered to your Inbox.

Join 30 other followers