Symantec Privileged Access Management

  • 1.  CA PAM Windows Endpoint Config

    Posted Oct 25, 2017 08:56 AM

    Hello Team,

    We are configuring Windows end point through PAM. We have created application and account. Account has been verified also.

    We have created a policy which will allow one of the user to see our Windows account in "Access" tab.

    Now after clicking on RDP, we are getting below error:


    Error type: RdpException.
    Error message: Unable to connect to backend device. Please contact Administrator..

    Stack trace:
    com.ca.xsuite.app.rdp3.client.handler.TCPStreamHandler.read(Unknown Source)
    com.ca.xsuite.app.rdp3.core.layer.channel.BaseITULayer.receive(Unknown Source)
    com.ca.xsuite.app.rdp3.core.layer.ITULayer.mainLoop(Unknown Source)
    com.ca.xsuite.app.rdp3.client.app.RDesktop.main(Unknown Source)
    com.ca.xsuite.launcher.a.n.run(Unknown Source)
    java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    java.lang.Thread.run(Unknown Source)

    Cause:
    Error type: EOFException.
    Error message: .

    Stack trace:
    com.ca.xsuite.app.rdp3.core.impl.RDPInputStream.readFully(Unknown Source)
    com.ca.xsuite.app.rdp3.client.handler.TCPStreamHandler.read(Unknown Source)
    com.ca.xsuite.app.rdp3.core.layer.channel.BaseITULayer.receive(Unknown Source)
    com.ca.xsuite.app.rdp3.core.layer.ITULayer.mainLoop(Unknown Source)
    com.ca.xsuite.app.rdp3.client.app.RDesktop.main(Unknown Source)
    com.ca.xsuite.launcher.a.n.run(Unknown Source)
    java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    java.lang.Thread.run(Unknown Source)

     

     

     

    Now, as the account is verified, I think PAM is able to do RDP and check the credentials on the server. Do I am missing something here?

     

    Then, I tried to create the service for RDP and given the path mentioned below(not sure if it is correct however taken the reference from ssh):

     

    \\<our-server-name>\fileshare\Default.rdp -rdp <Local IP> -P <First Port> -l username

     

    We need to deliver Windows endpoint asap. Can anyone please help here?



  • 2.  Re: CA PAM Windows Endpoint Config

    Posted Oct 25, 2017 09:15 AM

    Hi,

    Did you enable RDP on the endpoint ?



  • 3.  Re: CA PAM Windows Endpoint Config

    Posted Oct 25, 2017 09:40 AM

    Yes, we are able to login to it manually.

     

    If RDP isn't working then password verification of the target account possible? 



  • 4.  Re: CA PAM Windows Endpoint Config

    Posted Oct 25, 2017 09:45 AM

    Did you also added the windows client to the RDP access screen ?



  • 5.  Re: CA PAM Windows Endpoint Config

    Posted Oct 26, 2017 03:19 AM

    Didn't get on what exactly you mean by RDP access screen. I have followed the following steps which might help you to understand better:

     

    - Create Device

    - Create Application

    - Create Account

    - Create Policy

     

    Now while creating Application, I have firstly selected "Windows Proxy" as Application Type. I have installed the windows proxy. Then created account and that account got verified also. However getting the above error. 

     

    Then I have followed the normal steps provided in the link. Their they have selected "Generic" as Application Type. However same result. 

     

    Are we missing something here? Not getting anything from the documentation. Need to deliver the servers asap. Thanks. 

     

    Cheers,

    Nikunj



  • 6.  Re: CA PAM Windows Endpoint Config

    Posted Oct 25, 2017 09:47 AM


  • 7.  Re: CA PAM Windows Endpoint Config

    Posted Oct 26, 2017 03:12 AM

    Have followed the same steps mate. Still same issue.  



  • 8.  Re: CA PAM Windows Endpoint Config

    Posted Oct 26, 2017 03:43 AM

    I would suggest to open a support issue.



  • 9.  Re: CA PAM Windows Endpoint Config

    Posted Oct 26, 2017 09:23 AM

    Some RDP connections can only be made from certain computers on a domain. This is specified by the attribute userWorkstations on Active Directory. We faced similar problems here and we solved it by adding the PAM appliance hostname to this attribute of the server on AD. User-Workstations attribute (Windows) 

    Hope this helps.



  • 10.  Re: CA PAM Windows Endpoint Config
    Best Answer

    Posted Oct 27, 2017 03:17 AM

    It started working suddenly last night. Not sure how it started working. Was checking on the same and suddenly it stopped.

     

    I then deleted the device and created it again freshly today and it is working now.  

     

    To think on what would have happened, there are 2 things:

     

    1) There might be port issue as we are using custom port of RDP connection. Although I have corrected it earlier also, but was not working.

    2) Now, there might be some issue with the Windows Proxy, which eventually making some issue with port internally. I am trying to reproduce the issue again. 

     

    I read about windows proxy in documentation but not getting it clearly. Can anyone help me if there are any Knowledge base articles on it ? in which we can find why, how, when we have to use Windows proxy. 

     

    Thanks all for your help. 

     

    Cheers,

    Nikunj



  • 11.  Re: CA PAM Windows Endpoint Config

    Broadcom Employee
    Posted Oct 27, 2017 08:58 AM

    Hello, The Windows Proxy is used for password management. It is not involved in auto-logon with access methods. For that we just retrieve the account credentials from the PAM store. The error indicated that we simply could not establish an RDP connection to the target device through PAM. It doesn't look like we got to the point where the credentials would have played a role.