HiPAM Hitachi ID Privileged Access Manager
Posted on 2014-10-08
Hitachi is recommending that we not add "HiPAM to the domain for the reasons noted below. How I want to add HiPAM to the Domain. Has anyone worked with HiPAM and what do you suggest?
connecting HiPAM boxes to the domain, they pointed me to their documentation. Please see the excerpt below.
I am waiting for answers to some of our other questions.
22.214.171.124 Domain requirements
:While Hitachi ID Privileged Access Manager servers are capable of operating as domain members, we
suggest you take the following into consideration:
• Security / limited accessibility:
If the Privileged Access Manager server is part of the domain, then other administrative users from
the domain (who may not be Privileged Access Manager administrators) can gain administrative logon
access to the server and can then access (encrypted) credentials for target systems other than the
A policy of segregation of duties suggests that it is preferable to eliminate the ability of administrators
of one system to access privileged accounts for another system and since Privileged Access Manager
houses such credentials, it makes sense to avoid domain membership.
• Windows credential conflicts:
To change/verify passwords on an Active Directory domain, Privileged Access Manager uses ADSI,
which may connect a named pipe to a share on a domain controller, such as the NETLOGON share.
If an administrative user logs into the Privileged Access Manager server console and makes a similar
connection but using his personal credentials (not those encoded into Privileged Access Manager),
then the Windows network provider may produce a credential conflict error. This can interrupt Privileged
Access Manager’s ability to manage user objects on the domain, for the duration of the interactive login
If Privileged Access Manager is not a domain member, then the set of administrators who are able
to inadvertently cause this error condition is significantly reduced and so Privileged Access Manager
operation is more reliable (less prone to human-induced errors).
• Password randomization
Credential problems can also occur if the Privileged Access Manager server is also a Domain Controller,
and Privileged Access Manager is used to manage the administrator account used to target
the system. When the administrator account has its password randomized, the target system administrator
credentials may not be updated.