Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v2.0
v2.0
  • Home
  • What's new in Access Manager v2
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
        • Installing Access Manager in a Failover Cluster
    • Installing the Access Manager Agent
      • Choosing between the Microsoft and Lithnet agents for LAPS support
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up Microsoft LAPS for Active Directory
      • Setting up Microsoft LAPS for Azure Active Directory
      • Setting up Lithnet LAPS
        • Preparing the AMS directory
        • Setting the AMS directory for Lithnet LAPS clients
        • Setting up Lithnet LAPS for Azure AD joined and registered devices
        • Setting up Lithnet LAPS for domain-joined devices
        • Setting up Lithnet LAPS for macOS and Linux
        • Setting up Lithnet LAPS for standalone Windows devices
      • Setting up BitLocker access
      • Setting up JIT for computers
      • Setting up JIT for roles
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Importing rules from the Lithnet LAPS web app
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Azure Active Directory
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
    • Advanced help topics
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
    • Application help pages
      • Access Manager Directory configuration page
      • Access Manager Directory Devices page
      • Access Manager Directory Groups page
      • Lithnet LAPS configuration page (Access Manager Directory)
      • Access Manager Directory Registration Keys page
      • Lithnet LAPS configuration page (Active Directory)
      • Microsoft LAPS configuration page
      • Active Directory configuration page
      • Auditing page
      • Authentication configuration page
      • Computer authorization rules page
      • Role authorization rules page
      • Azure Active Directory configuration page
      • BitLocker configuration page
      • Database configuration page
      • Effective access page
      • Email configuration page
      • IP Address detection configuration page
      • Just-in-time access configuration page
      • Licensing configuration page
      • Rate limit configuration page
      • Host configuration page
      • User interface configuration page
      • Security page
    • Getting Support
Powered by GitBook
On this page
  • Prerequisites
  • .NET requirements
  • Agent installation
  • Installing the agent on Fedora using the Lithnet repo
  • Installing the agent on Red Hat using the Lithnet repo
  • Installing the agent manually on RPM-based distributions
  • Installing the agent on Debian using the Lithnet repo
  • Installing the agent on Ubuntu using the Lithnet repo
  • Installing the agent manually on Debian-based distributions
  • Installing the agent from the .tar.gz archive
  • Configuring the agent
  • Restarting the agent
  • Viewing log files
  • File locations

Was this helpful?

  1. Installation
  2. Installing the Access Manager Agent

Installing the Access Manager Agent on Linux

PreviousInstalling the Access Manager Agent on WindowsNextInstalling the Access Manager Agent on macOS

Last updated 6 months ago

Was this helpful?

Prerequisites

The Access Manager Agent makes use of the chpasswd tool, built into most Linux distributions. Ensure this tool is available before installing the agent.

The agent must be able to validate the AMS server certificate. If you are using a private CA, or a self-signed certificate, consult the guide relevant to your OS for how to add the certificate to the OS trust store. You can use OpenSSL to validate the trust state of the certificate using the openssl verify cert.crt command.

The agent itself runs using systemd, and as it requires access to reset the root password, must be run as the root user.

.NET requirements

The agent is build using Microsoft .NET 9.0. Ensure the distribution you are using is supported See the for more information.

Agent installation

Installing the agent on Fedora using the Lithnet repo

 #!/usr/bin/env bash
​
# Ensure that the right DNF components are available
sudo dnf -y install dnf-plugins-core
​
# Add the Lithnet Fedora repository
sudo dnf config-manager --add-repo https://packages.lithnet.io/config/rpm/fedora/lithnet.repo 
​
# Install the agent
sudo dnf install LithnetAccessManagerAgent

Installing the agent on Red Hat using the Lithnet repo

 #!/usr/bin/env bash
​
# Ensure that the right DNF components are available
sudo dnf -y install dnf-plugins-core
​
# Add the Lithnet Fedora repository
sudo dnf config-manager --add-repo https://packages.lithnet.io/config/rpm/rhel/lithnet.repo 
​
# Install the agent
sudo dnf install LithnetAccessManagerAgent

Installing the agent manually on RPM-based distributions

Use the appropriate package management tool to install the agent

# Download the x64 Access Manager Agent
curl -L https://packages.lithnet.io/linux/rpm/prod/packages/access-manager-agent/v2.1/x64/stable -o ~/accessmanager.rpm
sudo dnf install ~/accessmanager.rpm

Installing the agent on Debian using the Lithnet repo

#!/bin/bash
​
# Install prerequisites
sudo apt install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release
​
# Import the Lithnet GPG signing keys
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://packages.lithnet.io/keys/lithnet.asc | sudo gpg --dearmor -o /etc/apt/keyrings/lithnet.gpg
sudo chmod a+r /etc/apt/keyrings/lithnet.gpg
​
# Add the Lithnet repository, specific to your build and architecture
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/lithnet.gpg] \
  https://packages.lithnet.io/linux/deb/prod/repos/debian/ \
  $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/lithnet.list > /dev/null
​
# Fetch the new repo and install the agent
sudo apt update
sudo apt install lithnetaccessmanageragent

Installing the agent on Ubuntu using the Lithnet repo

#!/bin/bash
​
# Install prerequisites
sudo apt install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release
​
# Import the Lithnet GPG signing keys
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://packages.lithnet.io/keys/lithnet.asc | sudo gpg --dearmor -o /etc/apt/keyrings/lithnet.gpg
sudo chmod a+r /etc/apt/keyrings/lithnet.gpg
​
# Add the Lithnet repository, specific to your build and architecture
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/lithnet.gpg] \
  https://packages.lithnet.io/linux/deb/prod/repos/ubuntu/ \
  $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/lithnet.list > /dev/null
​
# Fetch the new repo and install the agent
sudo apt update
sudo apt install lithnetaccessmanageragent

Installing the agent manually on Debian-based distributions

Use the appropriate package management tool to install the agent

curl -L https://packages.lithnet.io/linux/deb/prod/packages/access-manager-agent/v2.1/x64/stable -o ~/accessmanager.deb
sudo apt install ~/accessmanager.deb

Installing the agent from the .tar.gz archive

Extract the archive to the root file system, allowing the files to be placed in their correct location. See the File location section below for more information on what files get unpacked and where.

Run the following command to register the service with systemd

/opt/LithnetAccessManagerAgent/Lithnet.AccessManager.Agent --install

Continue to the Configuring the agent section below.

Configuring the agent

Once the package is installed, it must be configured to talk to your AMS server. You can run the following command to perform an interactive installation

/opt/LithnetAccessManagerAgent/Lithnet.AccessManager.Agent --setup

To perform a non-interactive installation, use the following command, replacing the server name, and registration key as appropriate. You can generate new registration keys using the AMS configuration tool.

/opt/LithnetAccessManagerAgent/Lithnet.AccessManager.Agent --server ams.lithnet.local --registration-key XXXX

Check the log using the instructions in the Viewing the log files section below to ensure the agent registered correctly.

Restarting the agent

The Lithnet Access Manager Agent runs as a daemon using systemd. You can use standard systemd commands to start, stop and restart the agent.

systemctl restart LithnetAccessManagerAgent

Viewing log files

The agent logs are viewed using journalctl.

To show all events in the log use the following command

journalctl -u LithnetAccessManagerAgent -p 7 -a

To show a live stream of log messages use the following command

journalctl -u LithnetAccessManagerAgent -p 7 -a -f

File locations

The agent creates and uses the following files and folders.

/etc/LithnetAccessManagerAgent.conf - The main configuration file for the application. This contains the AMS server name and other settings relevant to the application.

/var/lib/LithnetAccessManagerAgent/LithnetAccessManagerAgent.state - This contains information used by the agent to store its current state information. This file should not be modified. It is generated by the app when it is run, and is not part of the installation package.

/opt/LithnetAccessManagerAgent - This directory contains the application binary files.

/etc/systemd/system/LithnetAccessManagerAgent.service - The systemd entry for the agent

While you do not need to install the .NET package itself, as the agent contains all the .NET components it needs to run, there are certain dependencies required by .NET, that if are not present, will prevent the agent from running. If you run into this issue, you may wish to install the .NET 8.0 package to automatically obtain the dependencies, or that .NET requires, and install these yourself.

Microsoft guide for supported operating systems for .NET 8.0
review the list of dependencies