How to provision JIT local Windows accounts with Kerberos via Ansible

This document provides instructions on how to configure support for Just-in-Time (JIT) accounts using the Executions module and PAM Core. This process allows an ephemeral local account to be created via Ansible using Kerberos authentication, and automatically removed after the session ends.

Requirements

• Permission to create new credentials in the Segura® Platform.
• Windows target devices joined to a domain.
• A domain credential with permission to authenticate the creation.

Step 1: Create automation templates

You will need two distinct templates in the Executions module to manage the account lifecycle.

Creation template

1. In the Segura® Platform, in the navigation bar, hover over the Products menu and select Executions.
2. In the side menu, select Template control > Templates.
3. Click Add and complete the following fields:
   • Name*: enter the template name (e.g., Windows JIT Kerberos - Create).
   • Status: keep enabled to activate the template.
   • Executor: select Ansible.
   • Execution type: select New user.
   • Playbook: select Windows Kerberos create local user.
   • Inventory: select Windows-PSRP-Kerberos.
4. Click Save.

Removal template

1. Still on the Templates screen, click Add to create the deletion template and complete the following fields:
   • Name*: enter the template name (e.g., Windows JIT Kerberos - Delete).
   • Status: keep enabled to activate the template.
   • Executor: select Ansible.
   • Execution type: select User delete.
   • Playbook: select Windows Kerberos delete local user.
   • Inventory: select Windows-PSRP-Kerberos.
2. Click Save.

Step 2: Configure authentication and JIT in PAM Core

1. In the Segura® Platform, in the navigation bar, hover over the Products menu and select PAM Core.
2. In the side menu, select Credentials > All credentials.
3. In the upper-right corner, click Add.
4. On the Credential registration screen, access the Information tab and complete the following fields:
   • Username*: enter the username (e.g., jit-kerberos-windows).
   • Password type: select Local User.
   • Device: select the device where the account will be created.
   • Domain: fill in the domain entirely in uppercase letters.
   • Additional Information: enter the KDC hostname in the format {"KDC": "hostname"}.
5. Access the Additional Settings tab and complete the following fields:
   • Additional authentication fields: click Add.
   • Name: fill with USE_KERBEROS.
   • Value: fill with true.
6. Access the JIT Settings tab and complete the following fields:
   • Just In Time setting: select the Enabled option.
   • Just In Time type: select the Credential creation and deletion option.
   • Authentication setting: uncheck the Use own credential to connect option.
   • Authentication credential: select the domain credential that will authenticate the account creation and deletion.
7. Navigate to the Credential creation and deletion section and complete the following fields:
   • Credential creation plugin: select Ansible.
   • Credential creation template: select the template configured in step 1.
   • Credential removal plugin: select Ansible.
   • Credential removal template: select the template configured in step 1.
8. Click Continue or go directly to the Review tab and click Save at the bottom of the page.

Step 3: Validate the operation

1. In the credential list, identify the newly created credential and click Start session in the actions menu located on the right.
2. Wait for the user to be created in the Windows environment.
3. Check Executions > Password operations > All operations to confirm the creation process was performed and that the deletion status is Waiting approval.
4. After the session ends, confirm that the deletion process was successfully executed, ensuring the ephemeral credential was destroyed.