Managing the credentials of Windows services and scheduled tasks
KeeperPAM Password Rotation is able to automatically manage the "log on" credentials for Windows services and scheduled tasks.
When rotation is performed for a specific PAM User record, the Keeper Gateway will update the credentials for all services and scheduled tasks on the associated PAM Machine, and restart the services. One PAM User record can be associated to any number of PAM Machine records, allowing you to update the services and scheduled tasks across a fleet of servers.
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your is online
The Keeper Gateway can communicate over WinRM or SSH to the target machine:
Service account and scheduled task management works by associating a PAM User record with one or more PAM Machine records in the vault. This mapping tells the Keeper Gateway to reach into each machine and look up any services running as the user, updating the password and restarting the service.
When running a , Keeper will automatically locate any services or scheduled tasks that require update when a password is rotated.
If you don't use Discovery, this can be managed directly through the Commander CLI interface using the pam action service commands.
Keeper Commander provides the necessary commands to associate services and scheduled tasks, such that password rotations will trigger an update and restart of the service.
If you haven't set up Keeper Commander yet, please follow the .
Use the pam gateway list command to locate the Gateway UID which manages the machine containing the services and scheduled tasks. You'll need this for the next step.
The PAM Machine and PAM User UIDs can be found in Commander by using the ls -l command inside a folder or by using the search command.
The UIDs can also be found in the Keeper Vault "Record Information" screen:
Use the pam action service command to instruct Keeper to update services and scheduled tasks on a particular machine, for a particular user, within a network.
To instruct Keeper to update and restart services and scheduled tasks on a particular machine, use the syntax below:
To instruct Keeper to remove the associations of services and scheduled tasks on a machine:
To display the current mappings between Gateway, Machine and User accounts where services and tasks need to be managed, use the pam action service list command.
To perform a password rotation of a PAM User account, click on the Rotate button from the vault user interface.
To perform the rotation from Commander, run pam action rotate :
To view the status of the rotation job, check the Vault UI or run the pam action job-info command as instructed:
Keeper will not start a service which is currently stopped. We will only restart any actively running services after updating the log on credential.
When troubleshooting a service credential update issue, please make sure of the following:
For a Windows server, ensure the operating system field is set to windows
Ensure that the Keeper Gateway can communicate to the PAM Machine via WinRM or SSH.
Check the Event Viewer > Windows Logs > Application events for any error messages
Ensure that you are using a PAM Machine record to manage services and scheduled tasks.
WinRM: Enabled and running on port 5986.
Verification: Run winrm get winrm/config to verify that WinRM is running. See WinRM setup page for installation help.
OR...
SSH: Enabled and running on port 22.
Verification: Run ssh [your-user]@[your-machine] -p 22 to verify that SSH is running.
Any Windows-based PAM Machine record being managed needs to have the operating system field set to windows
My Vault> pam gateway list
KSM Application Name (UID) Gateway Name Gateway UID Status
-------------------------- ------------ ---------------------- --------
My Application1 East Cost oVCr3n7qV8uARjwSqBQBBw ONLINE
My Application2 West Coast qSiGWa55QVaGEv3_xAO3UA ONLINE
My Application3 GovCloud 31t78gWKRQeY54l0u1sbMA ONLINE
My Application4 Tokyo 2XT9aKlYTLOyTnVlpny-dA ONLINEMy Vault> pam action service
pam command [--options]
Command Description
--------- ------------------------------------------
list List all mappings
add Add a user and machine to the mapping
remove Remove a user and machine from the mappingpam action service add -g <Gateway_UID> -m <Machine_UID> -u <User_UID> -t service
pam action service add -g <Gateway_UID> -m <Machine_UID> -u <User_UID> -t task
pam action service add -g <Gateway_UID> -m <Machine_UID> -u <User_UID> -t iispam action service remove -g <Gateway_UID> -m <Machine_UID> -u <User_UID) -t service
pam action service remove -g <Gateway_UID> -m <Machine_UID> -u <User_UID) -t task
pam action service remove -g <Gateway_UID> -m <Machine_UID> -u <User_UID) -t iisMy Vault> pam action service list -g oVCr3n7qV8uARjwSqBQBBw
User Mapping
Local service user - testuser (pEFr_dJn5EAc3MT_v30DQw)
* Lureydemo.com Server (CrvdntH-f9mIcraY1InGiw) : Services, Scheduled Tasks
* Windows 2022 Server (U3fHEK2i7LIkWZAzANz2sA) : Services, Scheduled TasksMy Vault> pam action rotate -r pEFr_dJn5EAc3MT_v30DQw
Scheduled action id: +dXjf690oGKgg==My Vault> pam action job-info +dXjf690oGKgg== --gateway=oVCr3n7qV8uARjwSqBQBBw
Job id to check [+dXjf690oGKgg==]
Execution Details
-------------------------
Status : finished
Duration : 0:01:01.923147
Response Message : Rotation completed for record uid XXX with post-execution