This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PAM issue when enable advanced athentication with app sso

Hello 

I have an issue with the Advanced Authentication and the App SSO. 

The problem is when I enable advanced authentication with no problem with token and I sign in normally but if i try to access any app SSO it runs and when the time to put the credential it failed and give me the error of "401:you are not authorized to perform this operation".

If I disable the Advanced authentication then  I sign in with the same user and access an app SSO it works normally without any issue. 

I thought that i have to add the certificate of MFA on the server of SSO web app as I did with the certificate of PAM before but nothing changed.

Anyone faced the same problem or anyone have any hint to solve it.

Thank you

  • 0  
    What does "sign in normally" mean? Are you "singing in" Direct RDP to the server? Or are you logging into the PAM My Access User Console? And you are mentioning here that there is a 2FA method prompt from AA that works fine and you login afterwards?

    Can you provide a screenshot of the error?

    What AppSSO Access Method are you using? E.g. https://www.netiq.com/documentation/privileged-account-manager-40/npam_install/data/t46s0dgpvk2x.html

  • 0
    I may have had a similar problem. When you use MF but the user repository is added before login. For example user "test", repository in MF "idm". Then the username after passing the second factor will be idm \ test. The SSO application might not let such a user through.
  • 0   in reply to 

    While this is true for Direct Access Mode in PAM AppSSO (E.g. 'idm\test' wouldn't be able to login directly to the Windows AppSSO Server and be authorized by Windows because 'idm\test' does not exist in the domain). This would not be true and thus this use-case would be supported for AppSSO Remote App Mode. For Remote App Mode, the user is logging into the My Access Console of PAM using E.g. 'idm\test' and is being authorized appropriately there with 2FA if necessary and when launching an AppSSO RemoteApp Session, the RDP Session that gets launched is running as the AppSSO Proxy User (which can be authorized by the Windows session) and the Application is launched and the SSO occurs appropriately.