Let's verify the scenario here.. so it appears you have two connection approaches here you are attempting to work out:
1) Direct-RDP, where Administrator connects directly with mstsc client (session isn't being audited / recorded)
2) RDP-Relay, where an AD user connects to MyAccess page to start rdp session as a Local Administrator Account on a Non-Domain Windows Server (session unable to start)

Here are a few recommendations:

1) My initial suspicion is the Account Domain Name as "WinLocalAccount"..
Is the Account Domain Name in the Enterprise Credential Vault, "WinLocalAccount", the actual NETBIOS Name / Windows Server Name in the Windows environment (i.e. NETBIOSNAME\Administrator) ?
For more details regarding Local Windows accounts, please see the following TID: https://www.novell.com/support/kb/doc.php?id=7021908
To me, this appears to be a convenience-type name, which is likely not the actual Windows Server Name in this instance.

2) Another possibility is to change "Submit User" Credential in the PAMAD LDAP Account Domain to "SubmitUser" instead (no space).
This is according to https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/t41wusurtnvg.html.
I am pretty sure it must be "SubmitUser" though for SubmitUser direct-rdp type rule to work right.

3) If you are looking to allow direct rdp connections, then changing "AD Domain Rule" to the following should help:
Account Domain: PAMAD
Credentials: PAMAD\SubmitUser
Run User: PAMAD\SubmitUser
Run Host: PAMAD

Thanks for your reply.. I have updated the Enterprise Account domain and Rules suggested but whenever I try to access the Direct RDP and RDP Relay a .rdp file with the name pamwindows.rdp gets downloaded (irrespective of the connections). attaching the updated screenshots of the Rule and Account Domain

If I remember correctly, this has been resolved, correct? If so, when available, would you please update this thread with the details of the solution? Thank you very much!

The issue have been resolved after changing the hostname of the host for the PAM manager to point to IP address...

PFA pdf of error still coming .Even when i have changed host . I am unable to log in and still seeing network level authentication
error.

Thanks

Hey Frank,

The network level authentication (NLA) issue you are referring to I think is very different than the issue discussed in this particular thread. Feel free to open a new thread if needed; however, please take a look at the following document that is related:
https://www.novell.com/support/kb/doc.php?id=7020137

Hi,
I've faced the same RDP error where I access thorough browser https://pamserver/myaccess , login through Active Directory user, link of RDP rule shows, i.e AD\SubmitUser@*

Message came that .rdp file could not be downloaded,

Please see the rule I've specified


IF (user IN Windows CMD US AND command IN RDP Session)
Authorize : yes
Secondary Authentication : no
Session Capture : yes
Credential : MASS\Administrator (Tried to put SubmitHost here,as per above solution, but failed)
Run User = MASS\SubmitHost
Run Hosts= All Hosts

please provide any solution.

This sounds like the error is different than what is in this thread.
Please create a new forum thread and specify the exact error message you are experiencing.

A couple recommendations to take to the new thread you make:
- Verify 'SubmitUser' empty credential has been added to MASS Account Domain in the Credential Vault.
- Set Credential to MASS\SubmitUser, Run User to MASS\SubmitUser, Run Host to the specific windows host or a host group. As far as I understand, Run Hosts as 'All Hosts' won't work in this case.