Highlighted
Valued Contributor.
Valued Contributor.
2109 views

PAM RDP Error

I have the below setup

Framework Manager - Windows 2012 R2 attached to the domain netiq.com
3 servers where NPUM agent is installed
a) Standalone server -Windows 2012 R2 installed
b) Server with AD installed - windows 2012 R2 domain .netiq.com
c) Server tied to domain .netiq.com - Windows 2012 R2


Attaching the Enterprise Credential Vault Domains and the Rule screenshot. Whenever I try to access the remote desktop I am being asked to save a single file for all the connections avaialble. Its asking to save the file in form of .rdp and when the .rdp file is being opened I am getting different errors.

Also the video file is displaying "no video files to playback"
0 Likes
9 Replies
Highlighted
Valued Contributor.
Valued Contributor.

Attachment Added
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Let's verify the scenario here.. so it appears you have two connection approaches here you are attempting to work out:
1) Direct-RDP, where Administrator connects directly with mstsc client (session isn't being audited / recorded)
2) RDP-Relay, where an AD user connects to MyAccess page to start rdp session as a Local Administrator Account on a Non-Domain Windows Server (session unable to start)

Here are a few recommendations:

1) My initial suspicion is the Account Domain Name as "WinLocalAccount"..
Is the Account Domain Name in the Enterprise Credential Vault, "WinLocalAccount", the actual NETBIOS Name / Windows Server Name in the Windows environment (i.e. NETBIOSNAME\Administrator) ?
For more details regarding Local Windows accounts, please see the following TID: https://www.novell.com/support/kb/doc.php?id=7021908
To me, this appears to be a convenience-type name, which is likely not the actual Windows Server Name in this instance.

2) Another possibility is to change "Submit User" Credential in the PAMAD LDAP Account Domain to "SubmitUser" instead (no space).
This is according to https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/t41wusurtnvg.html.
I am pretty sure it must be "SubmitUser" though for SubmitUser direct-rdp type rule to work right.

3) If you are looking to allow direct rdp connections, then changing "AD Domain Rule" to the following should help:
Account Domain: PAMAD
Credentials: PAMAD\SubmitUser
Run User: PAMAD\SubmitUser
Run Host: PAMAD
0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks for your reply.. I have updated the Enterprise Account domain and Rules suggested but whenever I try to access the Direct RDP and RDP Relay a .rdp file with the name pamwindows.rdp gets downloaded (irrespective of the connections). attaching the updated screenshots of the Rule and Account Domain
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

If I remember correctly, this has been resolved, correct? If so, when available, would you please update this thread with the details of the solution? Thank you very much!
0 Likes
Highlighted
Absent Member.
Absent Member.

The issue have been resolved after changing the hostname of the host for the PAM manager to point to IP address...
0 Likes
Highlighted
Super Contributor.
Super Contributor.



PFA pdf of error still coming .Even when i have changed host . I am unable to log in and still seeing network level authentication
error.

Thanks
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Hey Frank,

The network level authentication (NLA) issue you are referring to I think is very different than the issue discussed in this particular thread. Feel free to open a new thread if needed; however, please take a look at the following document that is related:
https://www.novell.com/support/kb/doc.php?id=7020137
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi,
I've faced the same RDP error where I access thorough browser https://pamserver/myaccess , login through Active Directory user, link of RDP rule shows, i.e AD\SubmitUser@*

Message came that .rdp file could not be downloaded,

Please see the rule I've specified


IF (user IN Windows CMD US AND command IN RDP Session)
Authorize : yes
Secondary Authentication : no
Session Capture : yes
Credential : MASS\Administrator (Tried to put SubmitHost here,as per above solution, but failed)
Run User = MASS\SubmitHost
Run Hosts= All Hosts

please provide any solution.
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

This sounds like the error is different than what is in this thread.
Please create a new forum thread and specify the exact error message you are experiencing.

A couple recommendations to take to the new thread you make:
- Verify 'SubmitUser' empty credential has been added to MASS Account Domain in the Credential Vault.
- Set Credential to MASS\SubmitUser, Run User to MASS\SubmitUser, Run Host to the specific windows host or a host group. As far as I understand, Run Hosts as 'All Hosts' won't work in this case.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.