TSS – End User Guide

**Please ensure you are connected to Pulse prior to attempting access when
Offsite**

Table of Contents
First time Users: Download TOTP/MFA.......................................................................................................2
How to Use Thycotic....................................................................................................................................2
Login........................................................................................................................................................2
TOTP/MFA...........................................................................................................................................3
Existing Users...................................................................................................................................3
First Time Only or if you have selected “Lost your phone?”............................................................3
Secret Functionality.................................................................................................................................4
Find a TSS Secret..................................................................................................................................4
Favorite a TSS Secret...........................................................................................................................5
Check OUT a TSS Secret.......................................................................................................................6
Check IN a TSS Secret...........................................................................................................................7
Heartbeat Failure due to TSS Secret Lockout.......................................................................................7
Password Functions.............................................................................................................................8
Enable Copy/Paste...............................................................................................................................9
RDP Launcher....................................................................................................................................10
Service Accounts................................................................................................................................11
Static Service Accounts Password Rotation...................................................................................11
Thycotic Connection Manager...............................................................................................................12
Download and Install.........................................................................................................................12
Connection Manager launch..............................................................................................................12
Create new local storage file.........................................................................................................13
Main Screen Navigation.....................................................................................................................13
Configuration.................................................................................................................................13
Password Functions.......................................................................................................................15
Check-Out..................................................................................................................................16
Check-In.....................................................................................................................................16
Backing up “Local Connections”................................................................................................16
Upgrade Notification.........................................................................................................................17

1
 Console Functionality........................................................................................................................18
Session Windows............................................................................................................................18

First time Users: Download TOTP/MFA

1. Download an Authenticator application onto your personal mobile device.

You will need this for your TOTP/MFA (Multi Factor Authentication) into the TSS console. Thycotic’s
TOTP/MFA has been tested to work with most authenticator applications such as Microsoft
Authenticator, Google Authenticator, Last Pass, 1password, and Authy.
If you are needing assistance with setting up the MS Authenticator mobile app you can use the YouTube
link here. https://www.youtube.com/watch?v=PaSaq99c9n8
Note: If you do not have a Mobile Device or there is a restriction in your area, please let us know so we
can set you up for email function.

How to Use Thycotic

Login
1. Click on the link, to access TSS: https://pam.fss.aramark.com/secretserver
2. On the login screen below, enter your Standard Aramark ID in the “Username” field & your current
network password in the “Password” field then click “Login”
NOTE: This is NOT your TSS Account name that was given. Be aware if you have not received your tss
account you should wait until you do.

2
TOTP/MFA
Existing Users
1. Input your Pin Code & click “Log In”.

First Time Only or if you have selected “Lost your phone?”

1. Open your Mobile Authenticator application.
2. Scan the QR code on the screen.
Note: Follow Documentation from that application vendor on proper use of their product.

3. Click Next
4. Enter the Pin code from the Authenticator application and click “Verify Setup”.
Note: Pin will recycle every 30 seconds on your mobile app.

3
5. A two-factor reset code will display.

a. Copy It. Click on the Blue

b. Save It - in a secure location. Example: OneDrive, Email yourself.
Note: Not in a text file on your desktop.
c. Click “Next”
6. Paste the Code you copied beforehand into the prompt and hit “Verify Setup”.

Secret Functionality
Find a TSS Secret
1. Click on “Secrets” then proceed to the “Filter Search or the “Global Secret Selector”.

2. “Filter Search” - You can enter any part of a name and it will list all secrets with the similar name.

4
3. “Global Secret Selector” – You can enter the ID or any part of a similar name.
Note: Use this only when you want to select and enter the secret.

Favorite a TSS Secret

1. Find the Secret from the “Filter Search” – See Find TSS Object

a. Highlight over the TSS account you want to favorite, and you will see a STAR
b. Click it to make it turn into a Solid Star.
2. Now click on “Favorites”. You should see all Favorited Secrets.

5
Check OUT a TSS Secret
1. Once you have found the secret you want you will want to click on the Name.

2. Click on the “Check Out” button

3. You should now be within the secret and can perform your tasks such as:
a. Password Functions
b. RDP Launcher
c. Checking In your account manually

6
Check IN a TSS Secret
There are a couple of ways to check in your TSS account manually.
Note: You might do this after you are finished with the secret or if the account is locked and you need to
get it unlocked via a script on “Check In”.
1. The most common way is to let Thycotic Auto Check the secret in after the checkout time expires.
For most this time is 1 hour.
2. The second way is within the Secret you already have checked out. Click the drop down for Check In
option by clicking the time clock icon.
3. The third method is within Thycotic Connection manager if used or installed.

Heartbeat Failure due to TSS Secret Lockout

1. Notifications are sent out to the primary user’s email.
a. Instructions are given how to unlock the account within.
2. Sometimes your secret will become locked.
a. This is because the secret owner/user used it on a windows session and has not logged out of
said session, and whose session is trying to authenticate on the domain with a wrong password.
i. This is due to our security settings changing the password of the secret automatically on
Check IN time or on the daily password Reset.
b. You can unlock your Secret by simply checking in the secret and a script will run to perform this
function.
c. If this continues to happen and you want to isolate what HOST, this is locking on you can put in a
request ticket asking for a lockout report on the specific Secret.

7
Password Functions
1. Within the Secret you will see its respective information.

2. Copy to your clipboard by simply highlighting over the respective field and selecting the copy icon.

3. These features are useful when having to manually apply to third party browsers or applications
such as SQL or Azure.
4. One last way to check out your password can be done without having to go into the Secret at all.
a. To do this
i. Find the secret in question
ii. Click in the empty space to the right of the Star of the secret
iii. Notice a new popup to the right
iv. Highlight over “Password” and select the copy Icon

8
Enable Copy/Paste
1. Select your “ID” bubble in the top right.

2. Select “User Preferences” in the drop down.

3. Select the tab “Settings” in the top of “User Preferences”

4. Scroll down and find “Allow Access to Clipboard” within the “Launcher Settings” section.

5. If an RDP session exists, you must terminate it and relaunch it to get the copy/paste to function.

9
RDP Launcher
Note: This will use Thycotic as a Gateway Server.

1. Navigate down within your Secret.

2. Click on the “RDP Launcher” button/Link.

3. Enter your Servers Host Name or IP.

4. RDP Launcher Prompts

a. First time access - You may need to install the protocol handler software which contains MSTSC
& Putty at that point you will be able to access the selected Server
b. If “Connection Manager” is installed, click on “Always allow” and then click on “Open Thycotic
Connection Manager”.

5. Once the RDP Session connects, Click “OK”, for Aramark’s usage Warning.

10
Service Accounts
Static Service Accounts Password Rotation
1. Find the intended Service account secret within Thycotic via the secret filter or by the secret
selector. See section Find a TSS Secret
2. Once found make sure you are inside the secret by clicking on the secrets name and enter the
comment for the intended function.
Note: Make sure you have scheduled Change Management for any production impact.
3. At the top of your secret page there is a “Change Password Now” field.

4. Make sure the default for “Next Password” is set to “Randomly Generated” then click “Change Password”.
Note: Make sure you do the change in a timely manner, or you will be forced to re-enter your comment.

5. Once the change occurs make sure the password has changed and is not waiting on a change.
You can validate this by going to the “RPC” tab and reviewing.

6. Go back to the General page and copy your new password.

7. Set your new password in all locations you need to update. IE Scripts, consoles, Dependent services not
managed by Thycotic.

11
Thycotic Connection Manager
Download and Install
1. Download the Installer for your OS
a. Windows Installer File (MSI)
b. MAC Installer File (DMG)
2. Install and configure client – Full instructions on vendor site https://docs.thycotic.com/cmgr/current
a. Find and Double-click the MSI file to start the install process
b. Click Next to continue.
c. Leave the location to install Connection Manager as the default location.
d. Click Next to confirm the location and accessibility for the install.
e. Click Next again to start the installation. A progress bar will be displayed while the installation is
in progress.
f. Once the install has finished, click Finish.
g. The install is complete, and the Connection Manager icon will be added to the desktop for easy
access.

Connection Manager launch

1. First Timers - You must create a secure password for this vault.
a. Confirm the password and click Create

1.
a.
2. Enter the password you previously created and click “Start”.

12
Create new local storage file
Warning!! You can choose this however that will remove all existing connections.
1. Select “Create new local storage file”
2. Select “Yes” at the Warning popup to Continue

Main Screen Navigation

Note: Without the Secret Server Connection, any initiated sessions from “local connections” will only
launch locally. Those sessions will not trigger a check out for the secret and the connection will not be
proxied.
1. Active Sessions: Select to view all active sessions
2. Recent: Select to view or launch recently active sessions or to create a new Secret Server
connection. Existing entries also display connection type
3. Shared with Me: Secrets that are Shared with you.
4. Favorites: Local Connections and any Secrets that you have marked as favorite from the Secret
Server Instance
Note: for Secret Server Favorites to show up you must be connected- See Configuration Section.
5. Local Connections
a. Select to view all local connections. In this view, you can drag and drop folders to organize them
logically.
b. Right click to import from other connection managers like RDC
c. Right click to export saved folders and personal connections.
d. Right click to create New Folders or connections
6. Secret Server Connection
Note: Requires Configuration Part to be finished before its Seen – See Configuration Section.
a. Contains same folder structure and secrets as webapp
b. Visibility of secret settings is limited – See Thycotic Web

13
Configuration
1. Click in the area where you see the “Gear” and the word “Configuration” located at the bottom Left

2. Select “Secret Server Connections”

3. Secret Server Connections – Step 1 of 3.

a. Input any name you would like within the “Secret Server Name”
b. Input the “Secret Server URL” with https://pam.fss.aramark.com/SecretServer/
c. For “Authentication Type” choose “Local Username/Password”
d. Click “Next”

4. Secret Server Connections – Step 2 of 3.

a. For “Username” & “Password”, Type in the same Credentials used on the Webapp.
b. Set the “Domain” as “STAR”
c. Select to “Store credentials Locally”
d. Select “Pin Code” and enter the pin provided by your mobile device that you have already setup.
e. Click “Connect”

14
5. Secret Server Connections – Step 3 of 3.
a. Select all Templates prefixed with “AramarkAD”
b. Uncheck all with +Svc.

6. Click “Finish”

15
Password Functions
1. You can Check-In your secret via Connection Manager by:

a. Click in the empty space to the right of the Star of the secret
b. Notice a new popup to the right
c. Highlight over “Password” and select the copy Icon
Check-Out
1. Check-Out automatically occurs when you start your Local Connection to a Server.

Check-In
1. You can Check-In your secret via Connection Manager by:

16
 a. Click in the empty space to the right of the Star of the secret
b. Notice a new popup to the right
c. Click “Check-In
Backing up “Local Connections”
1. Right click on “Local connections” and Select “Export”

a. Select “Browse” under the folder box.

Important! – Save to a secured location like “One Drive”.

i. Provide a “File Name” and click “Save “

b. Select “Export Passwords” and Select “Export”.

17
2. Open your windows Explorer and validate the new file exists.

Upgrade Notification
1. At any time, if prompted to upgrade your current version of Thycotic Connection Manager

a. Select “Remind me Later”

2. Backup you “Local Connections”
3. Check your emails for any communication concerning Connection Manager prior to proceeding with
any upgrade notification.
4. If all checks are ok then you can proceed with clicking on “Update”

Console Functionality
Session Windows
1. If you want to fully maximize a Session Window you can drag console window out of Connection
Manager window.
a. Click and drag the window tab out

b. Click Maximize Button to fully maximize Session Window.

18