Overview

Netwrix Privilege Secure includes a built-in vault for credential management, but it can also integrate with Netwrix Password Secure vault.

This integration brings together two Netwrix products to deliver true centralized privileged credential management, enabling organizations to perform activities as a specific user—fully secured and managed within Netwrix Privilege Secure and Netwrix Password Secure.​

Description

This guide explains how to configure Netwrix Privilege Secure (NPS) integration with Password Secure vault, enabling you to perform activities as a specific user with credentials managed in Password Secure.

Password Secure Configuration

Prerequisites

Before you begin configuring the integration, you must have a working Password Secure server and Web Application set up.
Password Secure should be installed on a separate server from NPS and properly configured prior to integration. It also requires its own database to store credentials.

Follow the instructions in the official documentation to install and configure the Password Secure server (installation guide) and to start the Web Application (web application guide).

Once the server and web application are installed and configured, continue with the steps below.

Generate an API Key

This API key enables NPS to connect to the Password Secure vault.

Step 1 - Log in to Password Secure as an administrator.

Step 2 - Navigate to Tools → API Keys.

1508×467 34.7 KB

1506×706 30.6 KB

Step 3 - Click Create a new API key.

1509×317 19.7 KB

Step 4 - Fill out the form:

• Name: (e.g., “NPS Integration”)
• Expires: Set a validity period (e.g., one year)
• Access Rights: Read
• Access Scopes: Select “Password”

1507×761 36.9 KB

Step 5 - Click Next to generate the API token and copy it to a secure location (you’ll use this in the NPS configuration).

1506×527 38.4 KB

Create a New Password (AD User Template)

Note: In production environments, you will typically use existing users.

If you already have users created with the AD User template, you can skip this step.

The AD User template is the standard/default form required for NPS ↔ Password Secure integration.

Step 1 - Go to Passwords → New Item.

Step 2 - Select Item Type = AD User.

1506×756 40.3 KB

Step 3 - Fill out the New AD User Password form:

• Description: Short description of the password/user
• Domain: Your AD domain
• Username: (e.g., “administrator”)
• Password: (strong password)

1504×753 35.8 KB

Step 4 - Save the password entry.

NPS Configuration

Add a Service Account with the Password Secure API Key

Step 1 - Log in to the Netwrix Privilege Secure admin console.

Step 2 - Go to Configuration > Service Accounts.

Step 3 - Add a new Service Account, using the API key generated in Password Secure:

• Name: (e.g., “NPS Password”)
• Username: (e.g., “NPS” or any identifier)
• Password: Paste the Password Secure API key here.

1528×527 48 KB

Step 4 - Save the Service Account.

Configure the Password Secure Vault Connector in NPS

Step 1 - In the admin console, navigate to Configuration > Integration Connectors.

Step 2 - Click the Add Integration Connector icon.

Step 3 - Fill in the connector details:

• Connector Name: (e.g., “NPS Password”)
• Connector Description: (optional)
• Connector Template: Select Password Secure from the drop-down.
• API URL: Enter the base URL for Password Secure’s API (e.g., https://your-ps-server/api/)
• Service Account: Select the service account you set up earlier (e.g., “NPS Password”)
• Advanced: Check “Skip Certificate Check”.

1523×600 42.4 KB

Step 4 - Click Save to create the connector.

Create an Activity

Step 1 – Navigate to Policy tab > Activities.

Step 2 – Click the blue plus icon to create a new activity using the Password Secure connector.

Step 3 – Configure the activity:

• Name: Activity name
• Description: Activity description
• Platform: — Type of platform, which defines the resource
• Login Account — The account used to log onto the resource. Select “Vault” from the drop-down
• Activity Type — Controls the type of actions for the activity. Select Interactive from the drop down menu.
• Vault Connector — Displays a list of previously configured vault connectors. Select the Password Secure connector you just created.

1511×661 51.1 KB

Step 4 - Click Save to create the Activity.

Configure a New Policy

Step 1 – Navigate to the Policy tab > Access Policy.

Step 2 – Click the Plus icon and create a new Policy. See the Add Access Policy topic for additional information.

Step 3 - Set the Type as Resource Based and select a Connection Profile, with Default being sufficient for most setups.

Step 4 – Click Save to create the Access Policy.

Step 5 – Once the Access Policy is created, add the following:

• Users: Assign users to the policy. See the Users Tab for Resource Based Access Policies topic for additional information.

1526×542 39.3 KB

• Activity: Add the activity you created for the Password Secure connector. See the Activities Tab for Resource Based Access Policies topic for additional information.

1527×647 47.4 KB

• Resources: Add resources for this Activity. See the Resources Tab for Resource Based Access Policies topic for additional information.

1525×544 34.3 KB

After completing these steps, you can use the specified user accounts on the defined resources.

This setup is ideal for scenarios where a single account is used across multiple resources but needs to be managed securely with credentials stored in Password Secure.

1528×374 21.3 KB

System Diagram: Vault Login Activity with Password Secure Integration

When a vault login-type activity is initiated and the selected vault is of type PasswordSecure, the following process occurs:

1. Action Service triggers the start of the activity.
2. The Action Service Worker takes over and initiates a credential checkout request.
3. The VaultConnector PasswordSecure module receives the request and calls the appropriate cmdlet (Get-VaultCredential).
4. The cmdlet logs in to Password Secure using the configured API Key.
5. The module searches for the specified Domain\User in Password Secure.
6. If the user’s password is found, the credential is returned to the requester.
7. If the user’s password is not found, a null value is returned.

817×1013 30.5 KB

Important Notes

• Always verify configurations and permissions, especially when integrating with systems like AD and using specific user accounts for critical operations.

SDK Compatibility and Updates

• The integration uses a Password Secure SDK DLL files and the Password Secure API for communication.
• The DLLs shipped with NPS is compatible with Password Secure versions 9.2.0 and above
• If you need to use a newer version of Password Secure, manually replace (“hot-swap”) the DLLs in:
  C:\Program Files\Stealthbits\PAM\ActionServiceWorker\PsrApi
• Updated DLLs will be included in new NPS product releases, but for immediate compatibility with the latest Password Secure releases, manual updates may be required. The SDK can be downloaded from the Password Secure Customer Information System.

Hello @Tomasz_Malik ,

I was trying integration in my lab environment but I get the following error: “Error Logging in Password Secure: Exception calling “GetResult” with “0” argument(s): “No connection could be made because the target machine actively refused it. (npsserver:443)”“, followed by information message “ Getting password for from https://npsserver/api “ and session deprovisions suddendly. Consider that there aren’t firewall restrictions at all.

My Password Secure version is 9.2.3.32988, should I update SDK into NPS? Where can I access to Password Secure Customer Information System in order to download latest version? I was trying to look also to documentation linked into helpcenter (Netwrix Documentation) but this URL https://help.passwordsafe.de/api/v9/ is not available.

Thank you in advance for your help!

Regards, Veronica

Hi Veronica,

Thank you for reaching out and for the detailed description. Based on the error, the issue is most likely related to the Password Secure Web Application / API not being reachable by NPS. Here are the checks we recommend:

1. Verify Password Secure Web Application

   • Make sure the Web Application is installed and running correctly.

   • You should be able to open https://localhost:443 on the Password Secure server and see the web interface.

   • In your case this would be https://npsserver:443.

   • Installation guide: Password Secure Web Application installation.

   • Based on the URL you shared, it looks like you may be running NPS-AM and Password Secure on the same machine. In that scenario, hostname resolution is critical — if the system doesn’t properly resolve npsserver, the connection will fail unless you use localhost or the IP address.

2. Check API Availability

   • If the web interface works, the API should also be reachable at:
     https://localhost/api. In your case this would be https://npsserver/api

   • In your case, NPS is trying to connect to https://npsserver/api. If hostname resolution fails, try using the direct IP address in the NPS-AM connector (e.g. https://<ip_address>/api).

3. Version Compatibility

   • Password Secure version 9.2.3.32988 is supported and works with NPS integration. You do not need to manually update SDK or DLL libraries.

4. Configuration

   • Please double-check the BYOV integration configuration steps in NPS-AM.

5. Customer Portal

   • To access downloads and updates, please log into the Netwrix Customer Portal here:
     https://www.netwrix.com/my_products.html

6. API Documentation Link

   • The URL you mentioned (https://help.passwordsafe.de/api/v9/) is indeed not available. In your case it’s not needed, since the Password Secure Web Application itself provides the API, and NPS-AM already includes the necessary libraries to connect with version 9.2.3.32988.

   • I’ve reported the broken link to the Password Secure documentation team. Thank you for pointing this out.

Best regards,
Tomasz

Hello Tomasz,

Privilege and Password servers are different. I have changed API url because I do not work on default 443 port but on 5443 instead. Now error is changed into “Error Logging in Password Secure: Exception calling “GetResult” with “0” argument(s): “Trying to Authenticate with AuthenticationUserKeySignatureCredential but currently another Requirement is required”“, anyway on Web Service logs all API calls seem to be completed properly. Is better if I open a ticket?

Regards, Veronica

Veronica,

So just to confirm — in your NPS-AM Configuration > Integration Connectors, under the API URL field, you have set it as:
https://npsserver:5443/api (Password Secure API URL)

This looks like a non-standard configuration — using a custom port for the Password Secure API. On the other hand, as you mentioned, the logs do show communication. I will try to configure these ports in my lab to check, but I recommend opening a support ticket so the team can review this in detail:
https://www.netwrix.com/sign_in.html?rf=tickets.html#/open-a-ticket

Regards,
Tomasz

Hello Tomasz,

I would like to let you know that now that I have updated NPS to version 25.9.3002.0 integration with Netwrix Password Secure is working properly also on the custom port!

Regards,

Veronica

Hi Veronica,

Thank you very much for the update, for testing, and for your contribution to our community!

Regards,
Tomasz