Configuring Secret Server

The Delinea PAS can connect to your remote and on-premise Secret Server(s) so you can use Secret Server as the authoritative source for storing and managing credentials.

Connecting Delinea PAS to Secret Server enables you to:

  • See systems and accounts from one or more Secret Server vaults.

  • Periodically sync systems and accounts from Secret Server. The sync may also be performed on-demand.

    Passwords and SSH keys are not synced. They are retrieved from Secret Server when needed for login / checkout.

  • Map to Secret Server sites using System Resource Mappings. These optional mappings give the Delinea PAS the information needed to choose an appropriate connector, when establishing a connection to a target system.

  • Reach Secret Server directly for a SAAS Secret Server or via a connector for an on-premise Secret Server.

Syncing with Enabled Features

The following features are not currently supported for sync:

  • Secret Require Comment
  • Secret Double Lock
  • Secret Require Approval

The features above sync as follows:

  • If a Secret has the feature setting enabled, it will not be synced.
  • If the feature is enabled after a Secret was synced, the Secret will be deleted from the Vault during the next sync operation.

Other Secret security settings can be enabled or disabled, and do not impact the sync operation. For example:

  • Require Checkout
  • Session Recording
  • Hide Launcher Password

Syncing Secret Server Events

  • Secret Audit events are generated when a secret is synced or accessed from the Vault.

    For example, when a Secret is synced, the Secret’s audit will show an event for Secret View and / or password display operations.

  • You can set up event subscriptions from Secret Server to get email notifications for the events generated when a secret is synced from the Vault. For example, the user can setup an event subscription for the Password Displayed event on the Secret, then receive an email notification for the sync operation.

Handling Passwords During Sync

When a Secret is synced to the Vault, the password is not saved on the Account created. The password is accessed by the Vault each time it needs to be used. This enables the Secret Server Password Expiration to continue working.

If the secret synced to Vault expires, then password is changed in the Secret (i.e. by a Remote Password Change action), the next time that Vault needs to use the password, it will access the new password that was updated on the Secret.

To connect Delinea PAS to Secret Server:

See the Secret Server Best Practices for information about configuring Secret Server for integration with the Delinea PAS.
  1. Set Secret Server role permissions by enabling Delinea PAS administrators to add a vault.
  2. Add a Delinea PAS vault and register the Secret Server.
  3. For on-premise Secret Servers, deploy connector(s) that can reach the Secret Server.
  4. Depending on network topology, configure the necessary Secret Server Resource Connector Mappings.