RDP access with PAM 3.2

Hi. I am configuring PAM 3.2 for UNIX


  • This is in reference to RDP Direct sessions, not RDP Relay sessions.
  • I was able to create a rule to allow non-AD users access to RDP sessions for local accounts. However, it appears I cannot enable the video record feature for such sessions. In order for the video feature to work, you must select an account domain, which implies AD. How do I enable video recording for local accounts not in the AD domain with RDP Direct Sessions?
  • Please try the following (replace with proper agentName, computerName, etc.):

    1. In the Credential Vault, create a new Account Domain:
    Name: server1.mydomain.com\tharris9
    <agent name used in the hosts console>/<computer name according to Windows>
    Type: LDAP
    Leave the rest blank.

    2. Add the local Administrator account to this new Account Domain as a credential:
    Account: Administrator
    User DN: Administrator

    3. Create the cmdctrl rule to authorize access:
    Account Domain: <agentName>\<computerName>
    Credentials: <agentName>\<computerName>\Administrator
    Run User: I think gets autofilled, otherwise same as “Credentials” above
    Run Host: <agentName> (agentName should be the full dns address of the server that is used in the hosts console)
    The above should permit access to local admin account via direct-rdp (add Windows Direct Session as a Rule condition of course).
  • Thanks. I've tried this but the RDP session is disconnected after authorization with PAM fails. Just to make sure I am following your directions correctly, I have taken screenshots of all the relevant screens:
    1. System info according to Windows 2008R2 (so we know what Windows thinks the system name is):
    2. PAM host info:
    3. Credential vault entry:
    4. User Group entry:
    5. Host Group entry:
    6. Command Control rule:

    Am I missing something?
  • Try creating an Account Domain in PAM with the name of "V3TSW00421" (the computer name).
    Add the local administrator account and password as a credential in this Account Domain.
    The details like LDAP URL, Base DN, Scope, User DN are only needed if LDAP has to be contacted, so leave this part empty.

    This Account Domain can then be used as part of the Command Control rule configuration for rdp relay, credential provider, direct-rdp, etc.
  • I have tested this scenario and using the ServerName as the Account Domain Name for a blank AD LDAP Account Domain should work. I have written up the details in the following TID:
  • Thanks. Got called off to do something else so had to leave PAM but am back, reacquainting myself with it. You have the following as the second step in the documentation:

    1. Add the various local privileged accounts, as needed, to the Account Domain created in Step 1:

      • Add the Administrator credentials.
      • For a SubmitUser credential (Note: This credential can be used to capture sessions of any local accounts with Direct RDP).

        • Select Add in the Account Domain's Credentials.
        • Enter SubmitUser as the Account.
        • Leave the rest of the fields blank.
        • Select Add Credential.

      I created both an Administrator and SubmitUser credential in the Enterprise Credential Vault (without passwords). I then created a command-rule using the Administrator credential:

      and the SubmitUser credential:

      The command-rule using SubmitUser works. However, for the command-rule using Administrator, the RDP session terminates with:
      Your Remote Desktop Services session has ended.

      Your network administrator might have ended the connection. Try connecting again, or contact technical support for assistance.

      Any idea why the Administrator command-rule is failing?
  • Since the two rules have identical Rule Conditions, I would recommend disabling the 'Submit User' rule to test the first Administrator rule.

    Also, please add a password to the 'Administrator' credential.

    Then, check the unifid.log found in /opt/netiq/npum/logs/ for perhaps more details, looking for 'cmdctrl request' ..
  • Thanks. I only have one rule enabled now to test the Administrator account:

    I added a password to the v3tsw00421\Administrator account and renamed v3tsw00421\Administrator to v3tsw00421\ADMINISTRATOR.

    According to unifid.log:
    Tue Apr 17 11:16:48 2018, 39, 1227773696, 13775, Info, cmdctrl request denied for '<rdpDirect> V3TSW00421\ADMINISTRATOR@v3tsw00421' from ADMINISTRATOR@v3tsw00421
  • The typical use case for 'Windows Direct Session' (Direct-RDP), is to allow with the Submit User credentials.
    In other words, if the user has access directly in Windows/AD, then allow the session and begin auditing.

    To configure this:
    1. Add a 'SubmitUser' credential to the v3tsw00421 Windows Account Domain. Note: there is no space between the username. Also, in an upcoming release we are eliminating this pre-requisite step.
    2. Change the cmdctrl rule to use this new 'SubmitUser' credential (i.e. v3tsw00421\SubmitUser) for Credential and Run User
    3. Then try to access via direct-rdp with a user that is in the Domain Administrator group (as per the configured Rule Conditions)

    Your previous rule would work well for RDP-Relay with a couple details changed:
    1. Change Rule Conditions from 'Windows Direct Session' to 'RDP Session'
    2. Configure the 'Run Hosts' to a specific server (agent name) or a host group that lists them.
    Note: This rule would grant privileged access to the Administrator account for users through the MyAccess Console via RDP-Relay.