How to provision JIT local Windows accounts with Kerberos via Ansible

Prev Next

This document provides instructions on how to configure support for Just-in-Time (JIT) accounts using the Executions module and PAM Core. This process allows an ephemeral local account to be created via Ansible using Kerberos authentication, and automatically removed after the session ends.

When configured in Credential creation and deletion mode, multiple users can use the same credential simultaneously. In this case, each user receives their own independent ephemeral account, with no shared state between sessions.

Requirements

  • Permission to create new credentials in the Segura® Platform.
  • Windows target devices joined to a domain.
  • A domain credential with permission to authenticate the creation.

Step 1: Create automation templates

You will need two distinct templates in the Executions module to manage the account lifecycle.

Creation template

  1. In the Segura® Platform, in the navigation bar, hover over the Products menu and select Executions.
  2. In the side menu, select Template control > Templates.
  3. Click Add and complete the following fields:
    1. Name*: enter the template name (e.g., Windows JIT Kerberos - Create).
    2. Status: keep enabled to activate the template.
    3. Executor: select Ansible.
    4. Execution type: select New user.
    5. Playbook: select Windows Kerberos create local user.
    6. Inventory: select Windows-PSRP-Kerberos.
  4. Click Save.
Info

If your environment uses the Network Connector to reach the target device, select the SNC Windows Kerberos create local user playbook and the SNC-Windows-PSRP-Kerberos inventory.

Deletion template

  1. Still on the Templates screen, click Add to create the deletion template and complete the following fields:
    1. Name*: enter the template name (e.g., Windows JIT Kerberos - Delete).
    2. Status: keep enabled to activate the template.
    3. Executor: select Ansible.
    4. Execution type: select User delete.
    5. Playbook: select Windows Kerberos delete local user.
    6. Inventory: select Windows-PSRP-Kerberos.
  2. Click Save.
Info

As before, if your environment uses the Network Connector to reach the target device, select the SNC Windows Kerberos delete local user playbook and the SNC-Windows-PSRP-Kerberos inventory.

Step 2: Configure authentication and JIT in PAM Core

  1. In the Segura® Platform, in the navigation bar, hover over the Products menu and select PAM Core.
  2. In the side menu, select Credentials > All credentials.
  3. In the upper-right corner, click Add.
  4. On the Credential registration screen, access the Information tab and complete the following fields:
    1. Username: enter the username (e.g., jit-kerberos-windows).
    2. Password type: select Local User.
    3. Device: select the device where the account will be created.
    4. Domain: select the domain filled entirely in uppercase letters.
    5. Additional Information: enter the KDC hostname in the format {"KDC": "hostname"}.
  5. Access the Additional Settings tab and complete the following fields:
    1. Additional authentication fields: click Add.
    2. Name: fill with USE_KERBEROS.
    3. Value: fill with true.
  6. Access the JIT Settings tab and complete the following fields:
    1. Just In Time setting: select Enabled.
    2. Just In Time type: select Credential creation and deletion. In this mode, multiple users can have simultaneous active grants for the same credential. Each grant generates an independent ephemeral account with its own expiration time.
      Attention

      The same user cannot have 2 simultaneous active JIT grants for the same credential. The second request will be denied while the first one is still active.

    3. Authentication setting: uncheck the Use own credential to connect option.
    4. Authentication credential: select the domain credential that will authenticate the account creation and deletion. The credential selected must have explicit permission to manage local users on the target. Since authentication uses Kerberos, this account will be validated directly at the KDC.
  7. Navigate to the Credential creation and deletion section and complete the following fields:
    1. Credential creation plugin: select Ansible.
    2. Credential creation template: select the template configured in step 1.
    3. Credential removal plugin: select Ansible.
    4. Credential removal template: select the template configured in step 1.
  8. Click Continue or go directly to the Review tab and click Save at the bottom of the page.
Info

Although the machines are in a domain context to allow Kerberos authentication, the users created by the playbook will always be local to the target device.

Step 3: Validate the operation

  1. In the credential list, identify the newly created credential, click the Actions menu and select Start session.
  2. Wait for the user to be created in the Windows environment. This is a standard process inherent to the operating system, required for initial profile configuration.
  3. Check Executions > Password operations > All operations to confirm the creation process was performed and that the deletion status is Waiting approval. When multiple simultaneous grants are created for the same credential, each grant displays its own requester, status, and expiration time, and is handled independently by the system.
  4. After the session ends, confirm that the deletion process was successfully executed, ensuring the ephemeral credential was removed.
Attention

If account creation takes too long or returns an error, you can check the detailed Ansible log in Executions > Operations automation > Executions. Locate the task, click the Details icon, and check the Standard output (stdout) tab to identify which task the automation was interrupted.

Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
Connect With Us
SEGURA
LEARN
EXPLORE
Copyright © Segura. All Rights Reserved