It is popular request to launch MMC snap-ins through PSM. CyberArk does not have a clear and detailed guide to show how to configure this. I did some research and found following steps working for me.

Download and install AutoIT3 on PSM server

This step is quite straighforward.

You might get an issue to launch an application, in this case, from PSM server, un-comment following lines in C:\Program Files (x86)\CyberArk\PSM\Hardening\PSMConfigureAppLocker.xml and executed PSMConfigureAppLocker.ps1 afterwards which completed successfully.

<Application Name=”AutoIt3″ Type=”Exe” Path=”C:\Program Files (x86)\AutoIt3\AutoIt3.exe” Method=”Publisher” />
<Application Name=”MMC” Type=”Exe” Path=”C:\Windows\System32\mmc.exe” Method=”Hash” /><Application Name=”Notepad” Type=”Exe” Path=”C:\Windows\System32\notepad.exe” Method=”Hash” />

Create your own AutoIt3 script

Cloned C:\Program Files (x86)\CyberArk\PSM\Components\PSMAutoItDispatcherSkeleton.au3, and rename your copy as PSMAutoItDispatcherMMC.au3

Chang/add following in PSMAutoItDispatcherMMC.au3:

Global Const $DISPATCHER_NAME = “Microsoft ADUC” ; CHANGE_ME
Global Const $CLIENT_EXECUTABLE = ‘mmc “c:\windows\system32\services.msc” -a /computer=’ & $TargetPSMRemoteMachine
Global $ConnectionClientPID = RunAs ($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT_EXECUTABLE)

add following:

Func FetchSessionProperties() ; CHANGE_ME

if (PSMGenericClient_GetSessionProperty(“LogonDomain”, $TargetLogonDomain) <> $PSM_ERROR_SUCCESS) Then ;Added CWA

if (PSMGenericClient_GetSessionProperty(“PSMRemoteMachine”, $TargetPSMRemoteMachine) <> $PSM_ERROR_SUCCESS) Then ;Added CWA

Opt("MustDeclareVars", 1)
AutoItSetOption("WinTitleMatchMode", 3) ; EXACT_MATCH!

;             PSM AutoIt Dispatcher Skeleton
;             ------------------------------
; Use this skeleton to create your own
; connection components integrated with the PSM.
; Areas you may want to modify are marked
; with the string "CHANGE_ME".
; Created : April 2013
; Cyber-Ark Software Ltd.
#include "PSMGenericClientWrapper.au3"

; Consts & Globals
Global Const $DISPATCHER_NAME         = "Microsoft Services" ; CHANGE_ME
;Global Const $CLIENT_EXECUTABLE                                 = 'mmc "C:\Windows\System32\services.msc"'
Global Const $ERROR_MESSAGE_TITLE          = "PSM " & $DISPATCHER_NAME & " Dispatcher error message"
Global Const $LOG_MESSAGE_PREFIX         = $DISPATCHER_NAME & " Dispatcher - "

Global $TargetUsername
Global $TargetPassword
Global $TargetAddress
Global $TargetLogonDomain
Global $TargetPSMRemoteMachine
;Global Const $CLIENT_EXECUTABLE         = 'mmc "c:\windows\system32\services.msc" -a /computer=' & $TargetPSMRemoteMachine
Global $ConnectionClientPID = 0

; Code
Exit Main()

; Main
Func Main()

 ; Init PSM Dispatcher utils wrapper
 ToolTip ("Initializing...")
 if (PSMGenericClient_Init() <> $PSM_ERROR_SUCCESS) Then

 LogWrite("successfully initialized Dispatcher Utils Wrapper")

 ; Get the dispatcher parameters
Global Const $CLIENT_EXECUTABLE         = 'mmc "c:\windows\system32\services.msc" -a /computer=' & $TargetPSMRemoteMachine
$ConnectionClientPID = RunAs($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT_EXECUTABLE,"",@SW_SHOWMAXIMIZED)
 LogWrite("mapping local drives")
 if (PSMGenericClient_MapTSDrives() <> $PSM_ERROR_SUCCESS) Then

 LogWrite("starting client application")
 ToolTip ("Starting " & $DISPATCHER_NAME & "...")

 ; ------------------
 ; Handle login here! ; CHANGE_ME
 ; ------------------

 ; Execute RunAs command to run ssms under the PSM Shdaow User's profile, but pass the network credentials of
    ; the target (specified by the "2" logon type)

 if ($ConnectionClientPID == 0) Then
  Error(StringFormat("Failed to execute process [%s]", $CLIENT_EXECUTABLE, @error))

 ; Send PID to PSM as early as possible so recording/monitoring can begin
  LogWrite("sending PID to PSM")
  if (PSMGenericClient_SendPID($ConnectionClientPID) <> $PSM_ERROR_SUCCESS) Then

 ; Terminate PSM Dispatcher utils wrapper
 LogWrite("Terminating Dispatcher Utils Wrapper")


; Functions
; #FUNCTION# ====================================================================================================================
; Name...........: Error
; Description ...: An exception handler - displays an error message and terminates the dispatcher
; Parameters ....: $ErrorMessage - Error message to display
;        $Code    - [Optional] Exit error code
; ===============================================================================================================================
Func Error($ErrorMessage, $Code = -1)

 ; If the dispatcher utils DLL was already initialized, write an error log message and terminate the wrapper
 if (PSMGenericClient_IsInitialized()) Then
  LogWrite($ErrorMessage, True)

 Local $MessageFlags = BitOr(0, 16, 262144) ; 0=OK button, 16=Stop-sign icon, 262144=MsgBox has top-most attribute set

 MsgBox($MessageFlags, $ERROR_MESSAGE_TITLE, $ErrorMessage)

 ; If the connection component was already invoked, terminate it
 if ($ConnectionClientPID <> 0) Then
  $ConnectionClientPID = 0

 Exit $Code

; #FUNCTION# ====================================================================================================================
; Name...........: LogWrite
; Description ...: Write a PSMWinSCPDispatcher log message to standard PSM log file
; Parameters ....: $sMessage - [IN] The message to write
;                  $LogLevel - [Optional] [IN] Defined if the message should be handled as an error message or as a trace messge
; Return values .: $PSM_ERROR_SUCCESS - Success, otherwise error - Use PSMGenericClient_PSMGetLastErrorString for details.
; ===============================================================================================================================
Func LogWrite($sMessage, $LogLevel = $LOG_LEVEL_TRACE)
 Return PSMGenericClient_LogWrite($LOG_MESSAGE_PREFIX & $sMessage, $LogLevel)

; #FUNCTION# ====================================================================================================================
; Name...........: PSMGenericClient_GetSessionProperty
; Description ...: Fetches properties required for the session
; Parameters ....: None
; Return values .: None
; ===============================================================================================================================
Func FetchSessionProperties() ; CHANGE_ME
 if (PSMGenericClient_GetSessionProperty("Username", $TargetUsername) <> $PSM_ERROR_SUCCESS) Then

 if (PSMGenericClient_GetSessionProperty("Password", $TargetPassword) <> $PSM_ERROR_SUCCESS) Then

 if (PSMGenericClient_GetSessionProperty("Address", $TargetAddress) <> $PSM_ERROR_SUCCESS) Then

 if (PSMGenericClient_GetSessionProperty("LogonDomain", $TargetLogonDomain) <> $PSM_ERROR_SUCCESS) Then  ;Added CWA

 if (PSMGenericClient_GetSessionProperty("PSMRemoteMachine", $TargetPSMRemoteMachine) <> $PSM_ERROR_SUCCESS) Then  ;Added CWA


Create a new connection component

From Administration > Options > Connection components
Create a new PSM Connection Component by Cloned “PSM-VNCClientSample” to create an customized component and set the following options:

ClientDispatcher: “C:\Program Files (x86)\AutoIt3\AutoIt3.exe” “{PSMComponentsFolder}\PSMservices.au3” “{PSMComponentsFolder}”

LockApplicationWindow > MainWindowClass: Set to empty to replace vncviewer

Assign this new PSM connection component to Platform

Set the new component name in platform so that it could appear in drop list list. Do not forgot to add new Override User Parameters by copying/pasting from PSM-RDP. 

Create an account to test

You might meet different kinds of message, but check the configuration and logs , you should be fine. 
When I run it through CyberArk it gives me following error: Failed to execute process [mmc “D:\Applications\services.msc”]
Following application events are logged on PSM server:
The Windows logon process has failed to spawn a user application. Application name: sethc.exe. Command line parameters: sethc.exe 11.
PSMSR864E [77e07d4c-d841-4e40-83a3-12cd16f971c9] A failure occurred while waiting for the PSMMessageAlert to end. Extra Details: 3. Reason: PSMSR282E One of the session components has failed and therefore the session will be closed.
For further assistance, contact your system administrator.
More info: Process [Client dispatcher] has failed. Session [77e07d4c-d841-4e40-83a3-12cd16f971c9].
PSMSR126E [77e07d4c-d841-4e40-83a3-12cd16f971c9] Failure occurred while handling session. PSMSR605E [77e07d4c-d841-4e40-83a3-12cd16f971c9] Error occurred while waiting for the dispatcher to communicate (Error details: [PSMSR606E [77e07d4c-d841-4e40-83a3-12cd16f971c9] Timeout occurred while waiting for a specific component to end]) (Codes: -1, -1)
PSMGenericCLientWrapper error: Failed to get dispatcher parameters
(error: DLL function GetsessionPropertyBufferLength failed(0))


By Jon

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

%d bloggers like this: