Installation
7 min
, install windows agent (supporting windows server 2016, 2019, 2022, windows 10, and 11), you need to have an installation package also, the net framework 4 7 2 should be installed on the endpoint to get the setup file installation should be done with a user who has local admin rights kron pam’s kernel driver has not been implemented for the arm architecture, so you should not install the agents on machines running on processors with arm architecture when the installation is successful, the agent is going to take over the credential provider functionality from windows os, and other log in options can be disabled over agent group configuration to make sure that the agent is the only credential provider for windows login operations local accounts are not going to be queried about on kron pam, and their authentication will be done by windows locally ad accounts will be referred to domain via the agent navigate to windows agent management and agent dashboard, then click the add button click agent installation download the ps1 file after setting the time limit for the agent’s registration by clicking the text that reads “ here” (an example of the ps1 file is provided below) copy this file to the endpoint where you want to install the agent ensure that port 443 is open between the endpoint and kron pam servers when you execute the ps1 file on the endpoint, it will download the agent, allowing you to proceed with the installation the ps1 script must be run as an administrator if script execution is disabled on the system, enable it using the following command set executionpolicy executionpolicy unrestricted add type @" using system net; using system security cryptography x509certificates; public class trustallcertspolicy icertificatepolicy { public bool checkvalidationresult( servicepoint srvpoint, x509certificate certificate, webrequest request, int certificateproblem) { return true; } } "@ $allprotocols = \[system net securityprotocoltype]'ssl3,tls,tls11,tls12' \[system net servicepointmanager] securityprotocol = $allprotocols \[system net servicepointmanager] certificatepolicy = new object trustallcertspolicy set location path c invoke webrequest uri " https //10 20 42 12 443/repo/windows agent/win agent exe " outfile "win agent exe" invoke webrequest uri " https //10 20 42 12 443/repo/windows agent/kron 3 7 0 patch1 cab " outfile "kron cab" start process nonewwindow filepath "c \win agent exe" argumentlist "initial token=8123800 2d0f 4a51 9453 475a1761c857","register endpoint= https //1 0 2 1 443 " if a non expired token is already on the screen, you will see it on the download page but if you need a new token, you can return to the first screen to reproduce one then, go to the next page to download the script again with a new token the agent is installed when you place the ps1 file on the endpoint and run it as a local admin start the installation package and click license agreement click next enter the necessary information then click install the register endpoint is the kron pam server if the ssl option is active, the dns name of one of the pam servers should be entered instead of the load balancer ip the initial token is the registration token that is shown on the same modal you get the ps1 file from on kron pam installation is successful during installation, the agent sends the server's ip address, hostname, and os version to kron pam if the server's ip address changes at any point, the agent updates kron pam with the new information from then on, the updated ip is used throughout kron pam, replacing the old one if an agent remains offline beyond a specified time, it is automatically removed from the agent dashboard, along with any associated agent specific rules the device will then be moved to the "unassigned device" group in the device tree without affecting any kron pam related rules this can be configured in the system configuration manager, using the parameter below (measured in days) win agent remove after expire time = 60 to install the agent silently on cmd please use the below command line syntax "agent exe" initial token= "cb6b6d7f bebb 4463 8a6e ca58cb168120" register endpoint="https //10 20 42 12/" sometimes system administrators need a powerful user who can do anything in such cases, you need to define the parameter below in the system configuration management page when a user is defined with the below parameter, this user can do anything, and they are not being policed such users are only logged, and this is called all run right win agent all run right = administrator, pamadmin, systemadmin