It is popular request to launch MMC snap-ins through PSM. CyberArk does not have a clear and detailed guide to show how to configure this. I did some research and found following steps working for me.

Download and install AutoIT3 on PSM server

This step is quite straighforward.

You might get an issue to launch an application, in this case, from PSM server, un-comment following lines in C:\Program Files (x86)\CyberArk\PSM\Hardening\PSMConfigureAppLocker.xml and executed PSMConfigureAppLocker.ps1 afterwards which completed successfully.

<Application Name=”AutoIt3″ Type=”Exe” Path=”C:\Program Files (x86)\AutoIt3\AutoIt3.exe” Method=”Publisher” />
<Application Name=”MMC” Type=”Exe” Path=”C:\Windows\System32\mmc.exe” Method=”Hash” /><Application Name=”Notepad” Type=”Exe” Path=”C:\Windows\System32\notepad.exe” Method=”Hash” />

Create your own AutoIt3 script

Cloned C:\Program Files (x86)\CyberArk\PSM\Components\PSMAutoItDispatcherSkeleton.au3, and rename your copy as PSMAutoItDispatcherMMC.au3

Chang/add following in PSMAutoItDispatcherMMC.au3:

Global Const $DISPATCHER_NAME = “Microsoft ADUC” ; CHANGE_ME
Global Const $CLIENT_EXECUTABLE = ‘mmc “c:\windows\system32\services.msc” -a /computer=’ & $TargetPSMRemoteMachine
Global $ConnectionClientPID = RunAs ($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT_EXECUTABLE)

add following:

Func FetchSessionProperties() ; CHANGE_ME

if (PSMGenericClient_GetSessionProperty(“LogonDomain”, $TargetLogonDomain) <> $PSM_ERROR_SUCCESS) Then ;Added CWA
Error(PSMGenericClient_PSMGetLastErrorString())
EndIf

if (PSMGenericClient_GetSessionProperty(“PSMRemoteMachine”, $TargetPSMRemoteMachine) <> $PSM_ERROR_SUCCESS) Then ;Added CWA
Error(PSMGenericClient_PSMGetLastErrorString())
EndIf

#AutoIt3Wrapper_UseX64=n
Opt("MustDeclareVars", 1)
AutoItSetOption("WinTitleMatchMode", 3) ; EXACT_MATCH!
AutoItSetOption("WinDetectHiddenText",1)

;============================================================
;             PSM AutoIt Dispatcher Skeleton
;             ------------------------------
;
; Use this skeleton to create your own
; connection components integrated with the PSM.
; Areas you may want to modify are marked
; with the string "CHANGE_ME".
;
; Created : April 2013
; Cyber-Ark Software Ltd.
;============================================================
#include "PSMGenericClientWrapper.au3"

;=======================================
; Consts & Globals
;=======================================
Global Const $DISPATCHER_NAME         = "Microsoft Services" ; CHANGE_ME
;Global Const $CLIENT_EXECUTABLE                                 = 'mmc "C:\Windows\System32\services.msc"'
Global Const $ERROR_MESSAGE_TITLE          = "PSM " & $DISPATCHER_NAME & " Dispatcher error message"
Global Const $LOG_MESSAGE_PREFIX         = $DISPATCHER_NAME & " Dispatcher - "

Global $TargetUsername
Global $TargetPassword
Global $TargetAddress
Global $TargetLogonDomain
Global $TargetPSMRemoteMachine
;Global Const $CLIENT_EXECUTABLE         = 'mmc "c:\windows\system32\services.msc" -a /computer=' & $TargetPSMRemoteMachine
Global $ConnectionClientPID = 0

;=======================================
; Code
;=======================================
Exit Main()

;=======================================
; Main
;=======================================
Func Main()

 ; Init PSM Dispatcher utils wrapper
 ToolTip ("Initializing...")
 if (PSMGenericClient_Init() <> $PSM_ERROR_SUCCESS) Then
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

 LogWrite("successfully initialized Dispatcher Utils Wrapper")

 ; Get the dispatcher parameters
 FetchSessionProperties()
Global Const $CLIENT_EXECUTABLE         = 'mmc "c:\windows\system32\services.msc" -a /computer=' & $TargetPSMRemoteMachine
$ConnectionClientPID = RunAs($TargetUsername,$TargetLogonDomain,$TargetPassword,2,$CLIENT_EXECUTABLE,"",@SW_SHOWMAXIMIZED)
 LogWrite("mapping local drives")
 if (PSMGenericClient_MapTSDrives() <> $PSM_ERROR_SUCCESS) Then
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

 LogWrite("starting client application")
 ToolTip ("Starting " & $DISPATCHER_NAME & "...")

 ; ------------------
 ; Handle login here! ; CHANGE_ME
 ; ------------------

 ; Execute RunAs command to run ssms under the PSM Shdaow User's profile, but pass the network credentials of
    ; the target (specified by the "2" logon type)

 if ($ConnectionClientPID == 0) Then
  Error(StringFormat("Failed to execute process [%s]", $CLIENT_EXECUTABLE, @error))
 EndIf

 ; Send PID to PSM as early as possible so recording/monitoring can begin
  LogWrite("sending PID to PSM")
  if (PSMGenericClient_SendPID($ConnectionClientPID) <> $PSM_ERROR_SUCCESS) Then
   Error(PSMGenericClient_PSMGetLastErrorString())
  EndIf

 ; Terminate PSM Dispatcher utils wrapper
 LogWrite("Terminating Dispatcher Utils Wrapper")
 PSMGenericClient_Term()

 Return $PSM_ERROR_SUCCESS
EndFunc

;==================================
; Functions
;==================================
; #FUNCTION# ====================================================================================================================
; Name...........: Error
; Description ...: An exception handler - displays an error message and terminates the dispatcher
; Parameters ....: $ErrorMessage - Error message to display
;        $Code    - [Optional] Exit error code
; ===============================================================================================================================
Func Error($ErrorMessage, $Code = -1)

 ; If the dispatcher utils DLL was already initialized, write an error log message and terminate the wrapper
 if (PSMGenericClient_IsInitialized()) Then
  LogWrite($ErrorMessage, True)
  PSMGenericClient_Term()
 EndIf

 Local $MessageFlags = BitOr(0, 16, 262144) ; 0=OK button, 16=Stop-sign icon, 262144=MsgBox has top-most attribute set

 MsgBox($MessageFlags, $ERROR_MESSAGE_TITLE, $ErrorMessage)

 ; If the connection component was already invoked, terminate it
 if ($ConnectionClientPID <> 0) Then
  ProcessClose($ConnectionClientPID)
  $ConnectionClientPID = 0
 EndIf

 Exit $Code
EndFunc

; #FUNCTION# ====================================================================================================================
; Name...........: LogWrite
; Description ...: Write a PSMWinSCPDispatcher log message to standard PSM log file
; Parameters ....: $sMessage - [IN] The message to write
;                  $LogLevel - [Optional] [IN] Defined if the message should be handled as an error message or as a trace messge
; Return values .: $PSM_ERROR_SUCCESS - Success, otherwise error - Use PSMGenericClient_PSMGetLastErrorString for details.
; ===============================================================================================================================
Func LogWrite($sMessage, $LogLevel = $LOG_LEVEL_TRACE)
 Return PSMGenericClient_LogWrite($LOG_MESSAGE_PREFIX & $sMessage, $LogLevel)
EndFunc

; #FUNCTION# ====================================================================================================================
; Name...........: PSMGenericClient_GetSessionProperty
; Description ...: Fetches properties required for the session
; Parameters ....: None
; Return values .: None
; ===============================================================================================================================
Func FetchSessionProperties() ; CHANGE_ME
 if (PSMGenericClient_GetSessionProperty("Username", $TargetUsername) <> $PSM_ERROR_SUCCESS) Then
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

 if (PSMGenericClient_GetSessionProperty("Password", $TargetPassword) <> $PSM_ERROR_SUCCESS) Then
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

 if (PSMGenericClient_GetSessionProperty("Address", $TargetAddress) <> $PSM_ERROR_SUCCESS) Then
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

 if (PSMGenericClient_GetSessionProperty("LogonDomain", $TargetLogonDomain) <> $PSM_ERROR_SUCCESS) Then  ;Added CWA
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

 if (PSMGenericClient_GetSessionProperty("PSMRemoteMachine", $TargetPSMRemoteMachine) <> $PSM_ERROR_SUCCESS) Then  ;Added CWA
  Error(PSMGenericClient_PSMGetLastErrorString())
 EndIf

EndFunc


Create a new connection component

From Administration > Options > Connection components
Create a new PSM Connection Component by Cloned “PSM-VNCClientSample” to create an customized component and set the following options:

ClientDispatcher: “C:\Program Files (x86)\AutoIt3\AutoIt3.exe” “{PSMComponentsFolder}\PSMservices.au3” “{PSMComponentsFolder}”

LockApplicationWindow > MainWindowClass: Set to empty to replace vncviewer


Assign this new PSM connection component to Platform

Set the new component name in platform so that it could appear in drop list list. Do not forgot to add new Override User Parameters by copying/pasting from PSM-RDP. 




Create an account to test

You might meet different kinds of message, but check the configuration and logs , you should be fine. 
When I run it through CyberArk it gives me following error: Failed to execute process [mmc “D:\Applications\services.msc”]
PSMSR605E
PSMSR606E
Following application events are logged on PSM server:
The Windows logon process has failed to spawn a user application. Application name: sethc.exe. Command line parameters: sethc.exe 11.
PSMSR864E [77e07d4c-d841-4e40-83a3-12cd16f971c9] A failure occurred while waiting for the PSMMessageAlert to end. Extra Details: 3. Reason: PSMSR282E One of the session components has failed and therefore the session will be closed.
For further assistance, contact your system administrator.
More info: Process [Client dispatcher] has failed. Session [77e07d4c-d841-4e40-83a3-12cd16f971c9].
PSMSR126E [77e07d4c-d841-4e40-83a3-12cd16f971c9] Failure occurred while handling session. PSMSR605E [77e07d4c-d841-4e40-83a3-12cd16f971c9] Error occurred while waiting for the dispatcher to communicate (Error details: [PSMSR606E [77e07d4c-d841-4e40-83a3-12cd16f971c9] Timeout occurred while waiting for a specific component to end]) (Codes: -1, -1)
PSMGenericCLientWrapper error: Failed to get dispatcher parameters
(error: DLL function GetsessionPropertyBufferLength failed(0))

References

By Jon

Leave a Reply