PAM AppSSO not entering credentials in Application

Hi Everyone,

I have configured AppSSO in PAM to access WinSCP as a RemoteApp but when trying to access RemoteApp via /pam(/myaccess) page, RDP connection opened automatically
and WinSCP app also within it but I dont know why credentials are not entered automatically by PAM.

While I have configured Account Domain for Appsso in credential vault, created rule and followed the documentation and performed all the prerequisites, Is there any special configuration
required for credentials to be entered by PAM automatically?

screen shot of appsso Credential Vault is as below:

https://pasteboard.co/HABW0Yd.png
https://pasteboard.co/HABYuWh.png

I just have only one RemoteApp server.

Please help.. I am stuck at this point and want to test this awesome feature of PAM.

Thanks
  • So you are saying that RemoteApp published apps are launching correctly from PAM User Console, but the credential fill feature is not happening, correct?

    Can you provide screenshots of how you have these cmdctrl rules configured? Also please provide a screenshot of how you have them positioned in the hierarchy of cmdctrl as well.
    The configuration for this from PAM CmdCtrl perspective are the following: https://www.netiq.com/documentation/...l#t46m8uzps329
    Note: If you can avoid nested rules with these, please do, otherwise, make special note of "If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy." (TID 7023299)

    Are there Firewall(s) to be considered here (either network or Windows Firewall) ?
  • So you are saying that RemoteApp published apps are launching correctly from PAM User Console, but the credential fill feature is not happening, correct?

    Can you provide screenshots of how you have these cmdctrl rules configured? Also please provide a screenshot of how you have them positioned in the hierarchy of cmdctrl as well.
    The configuration for this from PAM CmdCtrl perspective are the following: https://www.netiq.com/documentation/...l#t46m8uzps329
    Note: If you can avoid nested rules with these, please do, otherwise, make special note of "If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy." (TID 7023299)

    Are there Firewall(s) to be considered here (either network or Windows Firewall) ?
  • So you are saying that RemoteApp published apps are launching correctly from PAM User Console, but the credential fill feature is not happening, correct?

    Can you provide screenshots of how you have these cmdctrl rules configured? Also please provide a screenshot of how you have them positioned in the hierarchy of cmdctrl as well.
    The configuration for this from PAM CmdCtrl perspective are the following: https://www.netiq.com/documentation/...l#t46m8uzps329
    Note: If you can avoid nested rules with these, please do, otherwise, make special note of "If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy." (TID 7023299)

    Are there Firewall(s) to be considered here (either network or Windows Firewall) ?
  • Hi tdharris,

    Thanks for reply, appreciated.
    Yes, the credential fill feature is not happening...

    screenshot of AppSSO rule is below:
    https://pasteboard.co/HCqRSfu.png

    screenshot of hierarchy of cmdctrl:
    https://pasteboard.co/HCqXx9j.png

    I am not using nested rules.

    Regards,
  • Hi tdharris,

    Thanks for reply, appreciated.
    Yes, the credential fill feature is not happening...

    Note: we are not using any kind of firewall(either network or Windows Firewall) in this setup.

    screenshot of AppSSO rule is below:
    https://pasteboard.co/HCqRSfu.png

    screenshot of hierarchy of cmdctrl:
    https://pasteboard.co/HCqXx9j.png

    I am not using nested rules.

    Regards,
  • If the rdp session launches, then cmdctrl likely has authorized the session (can be verified by looking for 'cmdctrl request' statement in manager's unifid.log).

    1) Can you provide a screenshot of the Rule Conditions for "WinSCP-remote" (i.e. not the Edit Rule view) ?
    Should be "Command IN Application SSO" where that resolves to the Command being "<appsso>*"

    2) Please verify in the Enterprise Credential Vault > Application SSO, that "WinSCP-remote" is used as both the Application Alias and Application Name. Please make sure these match exactly.

    3) Disable any/all other rules in hierarchy except this one just for troubleshooting purposes.

    4) CmdCtrl rule details:
    - Session Capture: On, Video Capture: On, Authorize: Yes, Application SSO: Yes, "Stop if authorized"
    - Make sure "Run Host" remains set to "All Hosts" for now
    - Then try setting "Secondary Authentication" to "No"

    5) Otherwise, perhaps DEBUG unifid.log from Manager and Agent may point to some issue when launching the session.