Symantec Privileged Access Management

  • Private Community

  • 1.  Error with Proxy local accounts when try connect to RDP session from PAM

    Posted Jan 30, 2018 11:12 AM

    Hi friends

     

    I working with PAM 3.0.2 and i have create some target application with PROXY AGENT. 

    when I create the target accounts, they validate against the vault and the endpoints and they are validated correctly, but when the user tries to do a rdp with the local account, it generates the error of the attached image

    clarifying that for the Proxy - windows domain accounts the rdp sessions work perfectly

     

    some idea?



  • 2.  Re: Error with Proxy local accounts when try connect to RDP session from PAM

    Posted Jan 30, 2018 04:34 PM

    Are you able to login to the server directly with the local account over RDP?



  • 3.  Re: Error with Proxy local accounts when try connect to RDP session from PAM

    Posted Feb 02, 2018 05:34 PM

    Hi Trevor

     

    Yes, the account have similar rights that the local account administrator and worked fully from rdp session of Windows 10

     

    Thanks 



  • 4.  Re: Error with Proxy local accounts when try connect to RDP session from PAM
    Best Answer

    Broadcom Employee
    Posted Jan 31, 2018 02:19 PM

    Hi Julian, Did you make progress with this? As Trevor's reply suggests, this would be expected if the local account was not a member of the Remote Desktop Users user group.



  • 5.  Re: Error with Proxy local accounts when try connect to RDP session from PAM

    Posted Feb 02, 2018 05:29 PM

    Hi Ralf

     

    CA Support and me are working in this case and we are evaluate some options, the proxy version installed, the PAM system log and the different Windows logs that manage the event viewer but nothing tells us that it could be the error.

    Note: The proxy working perfectly with the configuration "Proxy domain account" and only with the local account administrator, the other local accounts do not work despite having the same permissions as the administrator

     

     

    The CA PAM Client log display the next inf when the RDP session fail

     

    2018-02-02 16:48:25 INFO - syserr.write(?:?) [PAM Access Agent-3]
    2018-02-02 16:48:30 ERROR - Can't read fully buffer : 8 for: Thread[PAM Access Agent-3,5,main] used: TcpHandler ( com.ca.xsuite.app.rdp3.client.handler.ClientTLSStreamHandler@5f13bbce,socket = Socket[addr=/127.0.0.200,port=43629,localport=41540] state: isInputShutdown: true isOutputShutdown: true written: 0 ) com.ca.xsuite.app.rdp3.core.exception.TlsAlertException: Internal TLS error, this could be an attack com.ca.xsuite.app.rdp3.client.handler.ClientTLSStreamHandler.error(?:?) [PAM Access Agent-3]
    2018-02-02 16:48:30 ERROR - Application Error raised during connection process or inside main loop. The logon attempt failed.
    The credentials that were used to connect to server did not work. com.ca.xsuite.app.rdp3.client.app.RDesktop.error(?:?) [PAM Access Agent-3]

     

    At the endpoint the event viewer trace the error of the picture 

     

     

    Any idea to this problem?



  • 6.  Re: Error with Proxy local accounts when try connect to RDP session from PAM

    Broadcom Employee
    Posted Feb 02, 2018 05:52 PM

    Hi, the denied login shows that a domain account was used with domain name ACUEDUCTO.RED. My guess is that the Windows proxy target application has this domain configured. It shouldn't if it's meant to manage local accounts.



  • 7.  Re: Error with Proxy local accounts when try connect to RDP session from PAM

    Posted Feb 06, 2018 11:40 AM

    Hi Ralf

     

    Thanks, your answer it correct, the local account had the domain checkbox marked and this was the error. just uncheck it was enough it works perfectly.

     

    There is an additional procedure for accounts managed with local proxy account to perform self-discovery of accounts. currently does not generate error but does not discover any account

     

    Thanks