Use cases for Application user and task automation

Products Privilege Secure Discussions & Questions
, ,
1

Hi,

I’m currently reviewing the available resources, but I haven’t been able to find a concrete implementation scenario that explains how to authenticate to NPS server using an application account (API key + client certificate) and then start an activity session programmatically.

Typical use cases would be starting a service, performing db maintenance and running scheduled or non-interactive privileged tasks. I’ve reviewed the API doc on GitHub, the SbPAMAPI PowerShell module and the Netwrix Auditor integration documentation. However, I haven’t found a clear description or examples.

Has anyone implemented this in a real-world scenario and would be willing to share the purpose of the integration, a working PowerShell example (or REST call) and any best practices or pitfalls to be aware of?

Thanks in advance.

Regards,
Benjamin

2

Hi Benjamin,

I’m happy to offer some guidance here.

This example is for a localhost NPS URL, so I’m running the script directly on the NPS server I’m targeting. However, you can remotely run scripts against NPS as long as the certificate for the workflow matches URL used to access NPS.

NOTE: I’ve already installed SbPAMPowershellModules.msi from the NPS download’s Extras folder.

Please read through this and let me know if it helps. I know the example is a very basic workflow, so I’m happy to explore how to achieve more complex goals using other endpoints. Just let me know!

Create the Self-Signed Certificate

Use PowerShell to create a new self-signed certificate. This example creates a certificate named AppUserNPS in the Current User → My certificate store.

New-SelfSignedCertificate -Subject "AppUserNPS" -CertStoreLocation "Cert:\CurrentUser\My"

:information_source: In a production environment, the certificate should be signed by a Certificate Authority (CA). Ensure the certificate is trusted by IIS by adding the CA trusted root certificate to the Trusted Root Certification Authorities on the NPS server.

Exporting the Certificate

When exporting the certificate from Current User → Personal (My):

:check_mark: Include the private key
:check_mark: Include all extended properties
:check_mark: Protect the PFX with a password

These settings ensure the certificate can be imported and used for authentication.

Importing the Certificate into Local Machine Trusted Root

When importing the PFX:

:check_mark: Import into Local Machine → Trusted Root Certification Authorities
:check_mark: Enable “Mark this key as exportable”

This allows services running under local machine context to trust and use the certificate.

Create an App User in NPS

Reference: Add Application | Netwrix Product Documentation

Locate the serial number of the cert created during this workflow, and use that when creating an app user in NPS:

Creation of an application user in the Netwrix Privilege Secure user interface.
Creation of an application user in the Netwrix Privilege Secure user interface.626×317 15.6 KB

:warning: This app user must be granted the Administrators role in NPS.

Example Script

Now you’re ready to actually script something against the NPS API. Let’s start with a simple example that gets the current NPS version:

# YOUR NPS SERVER URL (MUST MATCH CERTIFICATE)
$npsUri = "https://localhost:6500"

# YOUR NPS APP USER'S NAME IN NPS (MUST HAVE ADMIN ROLE)
$appUser = "nps_app"

# THUMBPRINT FOR CERT USED IN NPS APP USER REGISTRATION
$thumb = "<cert_thumb>"

# APP USER'S KEY FROM NPS
$appKey = "<app_user_api_key>"

$appCred = New-Object System.Management.Automation.PSCredential ($appUser, (ConvertTo-SecureString $appKey -AsPlainText -Force))
$appCert = (Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Thumbprint -eq $thumb })

Import-Module SbPAMAPI -Force

# FUNCTION: Token renewal
function Get-RenewToken {
    param(
        [Parameter(Mandatory)]
        [string]$token,
        [Parameter(Mandatory)]
        [string]$npsUri
    )
    
    $tokenObj = Convert-SbPAMToken $token
    $expiration = Get-Date -UnixTimeSeconds $tokenObj.exp
    if ($expiration -lt (Get-Date).AddMinutes(7)) {
        Write-Host "$(Get-Date) Refreshing token"
        $token = Invoke-SbPAMRest -Uri "$($npsUri)/api/v1/UserToken" -Token $token -ErrorAction Stop -SkipCertificateCheck
    }
    return $token
}

# Get app user token
$global:token = Get-SbPAMAppUserToken -Certificate $appCert -Credentials $appCred -Uri $npsUri

# Create web session
$webSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession

# API call
$global:token = Get-RenewToken -token $global:token -npsUri $npsUri
$result = Invoke-SbPAMRest -Uri "$($npsUri)/api/v1/Version" -Token $global:token -ErrorAction Stop -SkipCertificateCheck

Write-Host "Privilege Secure for Access Management Version: $($result)"

Result

image

1 Like
3

Hi Dan,

Thanks, this is exactly what I was looking for.
Could you please add the call in order to start an activity?

Regards,
Benjamin

1 Like
4

You can find the API endpoints and parameters here. The endpoint you are looking for is

/api/v1/ActivitySession

I’m glad you also asked about this because the flow around the application users because it was also a mystery to me and Dan’s post is the first I’ve seen any code example of how to authenticate with the API key. I will note that depending on the specifics of your use case, I might suggest using a task automation within Netwrix to perform your DB maintenance instead. This would require you to create a custom activity step, but would more easily allow access to credentials required for the action. I’ve worked a lot with both the API and the custom activities, so if you have any questions, feel free to reach out. Best of luck!

2 Likes