RDP access with PAM 3.2

Hi. I am configuring PAM 3.2 for UNIX


  • tdharris;2479532 wrote:
    The typical use case for 'Windows Direct Session' (Direct-RDP), is to allow with the Submit User credentials.
    In other words, if the user has access directly in Windows/AD, then allow the session and begin auditing.

    To configure this:
    1. Add a 'SubmitUser' credential to the v3tsw00421 Windows Account Domain. Note: there is no space between the username. Also, in an upcoming release we are eliminating this pre-requisite step.
    2. Change the cmdctrl rule to use this new 'SubmitUser' credential (i.e. v3tsw00421\SubmitUser) for Credential and Run User
    3. Then try to access via direct-rdp with a user that is in the Domain Administrator group (as per the configured Rule Conditions)

    Your previous rule would work well for RDP-Relay with a couple details changed:
    1. Change Rule Conditions from 'Windows Direct Session' to 'RDP Session'
    2. Configure the 'Run Hosts' to a specific server (agent name) or a host group that lists them.
    Note: This rule would grant privileged access to the Administrator account for users through the MyAccess Console via RDP-Relay.

    I followed your instructions at https://www.novell.com/support/kb/doc.php?id=7021908. At the moment, I am focused on Direct-RDP. In your documentation were instructions to add Administrator and SubmitUser credentials. What is the purpose of the Administrator credential? Why do we need to add the local Administrator password to the user credential? I want to authenticate and record the following types of sessions:
    1. User logs in with their domain account.
    2. User logs in with the domain administrator account.
    3. User logs in with the local server administrator account.

    Achieving #1 is done with the following rule:

    Achieving #2 is done with the following rule:

    Achieving #3 is done with the following rule:

    As #3 can be achieved with the SubmitUser credential, what does adding the Administrator credential provide? Note that #3 was done without an Administrator credential.
  • If your users know the local administrator account credentials then I suppose there is no reason. So none of these 3 rules are working in your environment? As this thread has gone on a while, I recommend opening up a service request through the Customer Center to troubleshoot the possible ways to configure Direct RDP use cases.