RDP session closed unexpectedly

Hi everyone.

In a version of PAM 3.6 an RDP session is opened in which it closes unexpectedly when entering the session or does not load the session and only tries to connect it.

When trying to enter the server outside the PAM, you also log out after a few seconds, which after several entries allows you to stop the PAM service.

After reviewing the agent log the following is detected:

Wed Jan 22 12:02:23 2020, Info, Audited Video file = '347047ef-822d-6c46-af20-136588346240_0000000003.webm'
Wed Jan 22 12:02:24 2020, Info, File 'C:\Program Files\NetIQ\npum\service\.work\347047ef-822d-6c46-af20-136588346240_0000000003.webm' send to audit manager.
Wed Jan 22 12:02:24 2020, Info, temp video file deleted: 'C:\Program Files\NetIQ\npum\service\.work\347047ef-822d-6c46-af20-136588346240_0000000003.webm'
Wed Jan 22 12:03:43 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (0ms)
Wed Jan 22 12:03:43 2020, Info, regclnt getSessionCache client:sqrobspeicep rc:0 status:0 (0ms)
Wed Jan 22 12:03:43 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (31ms)
Wed Jan 22 12:04:01 2020, Error, Invalid authentication token signature
Wed Jan 22 12:04:01 2020, Info, regclnt setSessionCache client:sqrobspeicep rc:0 status:0 (31ms)
Wed Jan 22 12:04:01 2020, Info, Monitor audit session for: S-1-5-21-3817306811-296713049-1526355255-206500(b07f63cb-1171-4d66-81f4-5a1533af3ed0)
Wed Jan 22 12:04:01 2020, Info, rexec auditSession client:sqropamprod rc:0 status:0 (219ms)
Wed Jan 22 12:04:01 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (15ms)
Wed Jan 22 12:04:01 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (16ms)
Wed Jan 22 12:04:21 2020, Info, Session match found for S-1-5-21-3817306811-296713049-1526355255-206500(b07f63cb-1171-4d66-81f4-5a1533af3ed0)
Wed Jan 22 12:04:21 2020, Info, Creating named pipe (\\.\pipe\spf-6giefvpz) for SCRNCAPT process communications channel
Wed Jan 22 12:04:21 2020, Info, Creating process (C:\Program Files\NetIQ\npum\bin\scrncapt.exe) - Try count = 1
Wed Jan 22 12:04:21 2020, Info, Created scrncapt process for session = 3
Wed Jan 22 12:04:21 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe) - Try count = 1
Wed Jan 22 12:04:21 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe process for session = 3
Wed Jan 22 12:04:21 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe) - Try count = 1
Wed Jan 22 12:04:21 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe process for session = 3
Wed Jan 22 12:05:05 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe) - Try count = 1
Wed Jan 22 12:05:05 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe process for session = 3
Wed Jan 22 12:05:05 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe) - Try count = 1
Wed Jan 22 12:05:05 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe process for session = 3
Wed Jan 22 12:05:08 2020, Info, Creating named pipe (\\.\pipe\spf-fiecyf02) for SCRNCAPT process communications channel
Wed Jan 22 12:05:08 2020, Info, Creating process (C:\Program Files\NetIQ\npum\bin\scrncapt.exe) - Try count = 1
Wed Jan 22 12:05:08 2020, Info, Created scrncapt process for session = 3
Wed Jan 22 12:05:14 2020, Info, regclnt modSessionCache client:sqrobspeicep rc:0 status:0 (46ms)
Wed Jan 22 12:05:14 2020, Error, state: 6 :: Failed to write STOP commanddetails to pipe for file = b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm
Wed Jan 22 12:05:14 2020, Error, rd_session_change line: 2796 rv=720232:The pipe is being closed.
Wed Jan 22 12:05:14 2020, Info, Audited Video file = 'b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm'
Wed Jan 22 12:05:14 2020, Info, File 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm' send to audit manager.
Wed Jan 22 12:05:14 2020, Info, Audited Video file = 'b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000001.webm'
Wed Jan 22 12:05:14 2020, Info, temp video file deleted: 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm'
Wed Jan 22 12:05:15 2020, Info, File 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000001.webm' send to audit manager.
Wed Jan 22 12:05:15 2020, Info, temp video file deleted: 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000001.webm'
Wed Jan 22 12:05:15 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (16ms)
Wed Jan 22 12:05:15 2020, Info, regclnt modSessionCache client:sqrobspeicep rc:0 status:0 (47ms)
Wed Jan 22 12:05:15 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (47ms)
Wed Jan 22 12:05:15 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (16ms)
Thu Jan 23 06:37:33 2020, Info, Checking service registration for sqrobspeicep (Novell Privileged User Manager)
Thu Jan 23 06:37:33 2020, Info, valid from Wed Jan 22 00:39:27 2020 to Fri Jan 24 01:26:27 2020 (registry offset 40 seconds)
Thu Jan 23 06:37:33 2020, Info, Rechecking service registration in 9 hours
Thu Jan 23 16:01:40 2020, Info, Checking service registration for sqrobspeicep (Novell Privileged User Manager)
Thu Jan 23 16:01:40 2020, Info, valid from Wed Jan 22 00:39:27 2020 to Fri Jan 24 01:26:27 2020 (registry offset 41 seconds)
Thu Jan 23 16:01:40 2020, Info, Registration successful for sqrobspeicep (Novell Privileged User Manager) to registry sqropamprod
Thu Jan 23 16:01:40 2020, Info, valid from Thu Jan 23 16:02:22 2020 to Sat Jan 25 16:18:33 2020
Thu Jan 23 16:01:40 2020, Info, PAM service is already in non-FIPS mode.
Thu Jan 23 16:01:40 2020, Info, Rechecking service registration in 23 hours
Fri Jan 24 10:51:02 2020, Info, distrib listUpdates client:sqropamprod user:admin@sqropamprod(10.160.9.201) rc:0 status:0 (109ms)

Is there anything that can be done so you don't close the sessions?

and

Why are you having problems with that video to remove it and send it?

I hope you can support me as it is a problem that already occurred in 3 agents.

 

Thanks and greetings to all.