> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/knowledge-base/how-to-articles/cyberark-pvwa-credentials-entry.md). # CyberArk PVWA (credentials) entry The ***CyberArk PVWA*** entry is a credential entry type in Remote Desktop Manager Windows. The entry is located under ***Add new entry*** – ***CyberArk PVWA***. It is the recommended method to: * Apply password injection (bypassing CyberArk PSM), or * Leverage CyberArk PSM for session brokering. Privileged Session Management (PSM) is a CyberArk component that brokers privileged sessions to target systems while enforcing isolation, access control, and session recording. RDM integrates with PSM to transparently launch those sessions for the user. This article explains how the PVWA entry works, how to configure the resolving mode, and how RDM determines which CyberArk component and technology to use at connection time. {% hint style="info" %} CyberArk integrations require the [Privileged access management solutions package](https://docs.devolutions.net/resources/getting-started-packages/privileged-access-management-package/) license. {% endhint %}
### General | SETTINGS | DESCRIPTIONS | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Resolving mode** |

The Resolving mode defines how credentials are used. There are two supported modes:Injection:
- Credentials are retrieved from CyberArk and injected directly into the target session.
- CyberArk PSM is not used.
- Any session type in RDM can technically be used (RDP, SSH, websites, custom tools, etc.).PSM Connection:
- CyberArk PSM is used to broker the session.
- RDP entries: Standard PSM (PSM-RDP)
- Website entries: HTML5 PSM (Guacamole)
- Other session types are not supported in PSM Connection mode.

| | **Web service URL** |

Enter the CyberArk server address in this format to connect to your CyberArk instance: https\://\.\.loc/.The following is what your Web services URL will be, depending on your CyberArk subscription:
- SelfHosted: Short URL.
- PrivilegeCloud: Short URL if the URL does not end in cyberark.cloud.
- PrivilegeCloud: /privilegecloud if the URL ends in cyberark.cloud.

| | **Virtual directory** | Enter a **Virtual directory**. This field is either `/privilegecloud` or empty. | | **Version** | Select a **Version** in the drop-down list. This refers to the CyberArk PVWA version seen on the CyberArk authentication page.Note that we only support the CyberArk V12 API for now and that CyberArk version 12.1 is required. | | **Authentication** | Select the **Authentication mode** used to connect to the CyberArk instance (**CyberArk**, **Windows**, **LDAP**, **RADIUS**,\*\*SAML, PKI,\*\*or **PKIPN**).SAML authentication is supported with CyberArk in Remote Desktop Manager starting in version 2022.3.25. Important improvements and bug fixes were added in later versions. We recommend to at least update to the 2023.1 version of Remote Desktop Manager if your current version is older. In 2023.1, you no longer need to provide the identity provider **IdP sign-in URL** when configuring SAML authentication. If you have trouble with your SAML authentication, consult [SAML Configuration and Troubleshooting](https://docs.devolutions.net/rdm/kb/troubleshooting-articles/saml-configuration-troubleshooting-cyberark-dashboard/). SAML authentication for CyberArk Privilege Cloud requires Remote Desktop Manager 2023.2.17 or newer.Your CyberArk vault administrator should provide you with the authentication model being used. In PVWA, if you select a link that matches your corporate domain name, that typically indicates that LDAP model is in use. | | **Account** | Select the account this credential entry is going to use. Check **Always prompt with list** and let the user choose the account. | ### Advanced | SETTINGS | DESCRIPTIONS | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **MFA delimiter** | The [**MFA delimiter**](https://docs.devolutions.net/rdm/kb/knowledge-base/mfa-delimiter-cyberark/) option exists in Remote Desktop Manager to mirror the one that already exists with CyberArk. The character that is entered in the delimiter field will be used to separate the values of the SecurID code and the password that are then sent to the API. | | **Domain search method** |


- Default
- None
- Field (this enables the Domain field option)

| | **Domain field** |


- Default
- Address
- Domain
- Logon domain
- Custom

| ### Endpoint configuration When using ***PSM connection*** in ***Resolving mode***, the target system is not defined in the PVWA entry itself. Instead, it is specified in the linked session entry. #### RDP entry (PSM-RDP) The target endpoint is defined in the **Host** field of the RDP entry. #### Website Entry (HTML5 PSM) The target endpoint is defined in the ***Website*** field of the website entry. ### Connection Flow in Remote Desktop Manager Once the PVWA credential entry and the session entry are configured, Remote Desktop Manager automatically resolves the connection when the user launches the session. The process is as follows: 1. Remote Desktop Manager reads the credential configuration (CyberArk PVWA). 2. If required, Remote Desktop Manager prompts the user to select the CyberArk component (for example PSM-RDP, PSM-SSH, or other PSM-enabled applications). 3. Remote Desktop Manager determines or prompts for the PSM technology to use: * RDP-based PSM, or * HTML5 (Guacamole) PSM Although RDM only natively supports ***RDP*** and ***Website*** session types, these primary entries can trigger a wide range of PSM-managed applications on the CyberArk side (for example SQL Server Management Studio, PuTTY, Active Directory Users and Computers, and more). 4\. Remote Desktop Manager contacts CyberArk to request a **connection object** based on the selected parameters. {% hint style="info" %} The availability depends entirely on the applications configured in CyberArk. {% endhint %} 5. In some scenarios (for example CyberArk AppRemote), additional configuration may be required. See the [CyberArk AppRemote documentation](https://docs.devolutions.net/rdm/kb/how-to-articles/cyberark-remoteapp/) for more information. #### Notes and limitations * Injection mode offers the most flexibility but does not provide PSM session recording or isolation. * PSM Connection mode enforces CyberArk controls but restricts supported session types. * Proper endpoint configuration in the session entry is critical for successful PSM connections. #### Troubleshooting If you need the domain specified most of the time, you need to set the ***Domain search method*** to ***Field,*** and then the ***Domain field*** to ***Address***. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/rdm/knowledge-base/how-to-articles/cyberark-pvwa-credentials-entry.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.