Configuring an Azure Windows VM as a PAM Machine Record
In this example, you'll learn how to configure a Azure Windows VM in your Keeper Vault as a PAM Machine record.
Prior to proceeding with this guide, make sure you have
Machines such as a Azure Virtual Machines can be configured on the PAM Machine record type.
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Suppose I have a Azure Virtual Machine with the hostname "10.0.1.4", the following table lists all the configurable fields and their respective values:
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Azure Virtual Machine:
The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.
User Accounts can be configured on the PAM User record. Visit this for more information.
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.
Learn more about
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
Set to: Windows
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
webserver-prod-01
Instance ID
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Azure or AWS Provider Group
Required if a managed Azure Machine
Provider Region
Azure or AWS Provider Region
Required if a managed AWS Machine
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type
See this for RDP protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3389" for RDP.
Title (Required)
Title of the PAM Machine Record
Windows VM
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Machine Resource
10.0.1.4
Port (Required)
Port to connect to the Azure VM for rotation. 22 for SSH, 5986 for WinRM
5986
Operating System
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native protocol used for connecting from the Gateway to the target
Required - for this example: "RDP"
Session Recording
Options for recording sessions and typescripts
The target's Operating System
Machines such as a Linux Machines can be configured on the PAM Machine record type.
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
Suppose I have a local Linux Virtual Machine with the hostname "linux-machine", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Machine Record
Linux Machine
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Machine Resource
linux-machine
Port (Required)
Port to connect to the Linux Resource
22
Operating System
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Linux Machine:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this for more details
Protocol
Native protocol used for creating a session from the Gateway to the target
Required - for this example: "SSH"
Session Recording
Options for recording sessions and typescripts
See
The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.
User Accounts can be configured on the PAM User record. Visit this page for more information on the PAM User.
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.
Learn more about Sharing and Access Control
The target's Operating System
linux
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance ID
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Azure or AWS Provider Group
Required if a managed Azure Machine
Provider Region
Azure or AWS Provider Region
Required if a managed AWS Machine
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type.
See this section for SSH protocol settings. We recommend specifying the Connection Port at a minimum. E.g. "22" for SSH.
The PAM Machine resource supports the following features:
Password rotation
SSH key rotation
Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols
TCP Tunnels
Session recording
Sharing access without sharing credentials
File transfer through drag-and-drop
Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.
To create a PAM Machine:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
The following table lists all the configurable fields on the PAM Machine Record Type:
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Required Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Administrative Credentials
Linked PAM User credential used for connection and administrative operations
Required Visit this for more details
PAM settings
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Session Recording
Options for recording sessions and typescripts
See
Below are a couple examples of PAM Machine records with Connections and Tunnels activated.
Visit the following pages to set up:
PAM Machine
Windows/macOS/Linux Machines, EC2 Instances, Azure VMs, GCP Compute Engine instances
This is where you configure Connection and Tunnel settings for this machine.
Required Visit this section for more details
Operating System
The target's Operating System
For your reference only
SSL Verification
When checked, verifies certificate of host when connecting with SSH
Only applies to certain databases and directories where SSL is optional
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance Id
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Provider Group for directories hosted in Azure
Required if Azure Machine
Provider Region
AWS region of hosted directory
Required if AWS Machine
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
