achinayoung_wau Respected Contributor.
Respected Contributor.
2209 views

RDP access with PAM 3.2

Hi. I am configuring PAM 3.2 for UNIX & Windows. The configuration for the UNIX hosts is complete and I am now working on the Windows hosts. For those of you monitoring RDP sessions via PAM, how do you have things configured? We can successfully monitor RDP sessions when authenticating against AD. However, as we have a default rule to block all access unless authorized, how do we handle local accounts on the server accessed via RDP (i.e. local Administrator)?
Tags (2)
0 Likes
12 Replies
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: RDP access with PAM 3.2

This is in reference to RDP Direct sessions, not RDP Relay sessions.
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: RDP access with PAM 3.2

I was able to create a rule to allow non-AD users access to RDP sessions for local accounts. However, it appears I cannot enable the video record feature for such sessions. In order for the video feature to work, you must select an account domain, which implies AD. How do I enable video recording for local accounts not in the AD domain with RDP Direct Sessions?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP access with PAM 3.2

Please try the following (replace with proper agentName, computerName, etc.):

1. In the Credential Vault, create a new Account Domain:
Name: server1.mydomain.com\tharris9
<agent name used in the hosts console>/<computer name according to Windows>
Type: LDAP
Leave the rest blank.

2. Add the local Administrator account to this new Account Domain as a credential:
Account: Administrator
User DN: Administrator

3. Create the cmdctrl rule to authorize access:
Account Domain: <agentName>\<computerName>
Credentials: <agentName>\<computerName>\Administrator
Run User: I think gets autofilled, otherwise same as “Credentials” above
Run Host: <agentName> (agentName should be the full dns address of the server that is used in the hosts console)
The above should permit access to local admin account via direct-rdp (add Windows Direct Session as a Rule condition of course).
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: RDP access with PAM 3.2

Thanks. I've tried this but the RDP session is disconnected after authorization with PAM fails. Just to make sure I am following your directions correctly, I have taken screenshots of all the relevant screens:
1. System info according to Windows 2008R2 (so we know what Windows thinks the system name is):
2. PAM host info:
3. Credential vault entry:
4. User Group entry:
5. Host Group entry:
6. Command Control rule:

Am I missing something?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP access with PAM 3.2

Try creating an Account Domain in PAM with the name of "V3TSW00421" (the computer name).
Add the local administrator account and password as a credential in this Account Domain.
The details like LDAP URL, Base DN, Scope, User DN are only needed if LDAP has to be contacted, so leave this part empty.

This Account Domain can then be used as part of the Command Control rule configuration for rdp relay, credential provider, direct-rdp, etc.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP access with PAM 3.2

I have tested this scenario and using the ServerName as the Account Domain Name for a blank AD LDAP Account Domain should work. I have written up the details in the following TID:
https://www.novell.com/support/kb/doc.php?id=7021908
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: RDP access with PAM 3.2

Thanks. Got called off to do something else so had to leave PAM but am back, reacquainting myself with it. You have the following as the second step in the documentation:

  1. Add the various local privileged accounts, as needed, to the Account Domain created in Step 1:

    • Add the Administrator credentials.
    • For a SubmitUser credential (Note: This credential can be used to capture sessions of any local accounts with Direct RDP).

      • Select Add in the Account Domain's Credentials.
      • Enter SubmitUser as the Account.
      • Leave the rest of the fields blank.
      • Select Add Credential.




    I created both an Administrator and SubmitUser credential in the Enterprise Credential Vault (without passwords). I then created a command-rule using the Administrator credential:

    and the SubmitUser credential:


    The command-rule using SubmitUser works. However, for the command-rule using Administrator, the RDP session terminates with:
    Your Remote Desktop Services session has ended.

    Your network administrator might have ended the connection. Try connecting again, or contact technical support for assistance.


    Any idea why the Administrator command-rule is failing?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP access with PAM 3.2

Since the two rules have identical Rule Conditions, I would recommend disabling the 'Submit User' rule to test the first Administrator rule.

Also, please add a password to the 'Administrator' credential.

Then, check the unifid.log found in /opt/netiq/npum/logs/ for perhaps more details, looking for 'cmdctrl request' ..
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: RDP access with PAM 3.2

Thanks. I only have one rule enabled now to test the Administrator account:


I added a password to the v3tsw00421\Administrator account and renamed v3tsw00421\Administrator to v3tsw00421\ADMINISTRATOR.

According to unifid.log:
Tue Apr 17 11:16:48 2018, 39, 1227773696, 13775, Info, cmdctrl request denied for '<rdpDirect> V3TSW00421\ADMINISTRATOR@v3tsw00421' from ADMINISTRATOR@v3tsw00421
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP access with PAM 3.2

The typical use case for 'Windows Direct Session' (Direct-RDP), is to allow with the Submit User credentials.
In other words, if the user has access directly in Windows/AD, then allow the session and begin auditing.

To configure this:
1. Add a 'SubmitUser' credential to the v3tsw00421 Windows Account Domain. Note: there is no space between the username. Also, in an upcoming release we are eliminating this pre-requisite step.
2. Change the cmdctrl rule to use this new 'SubmitUser' credential (i.e. v3tsw00421\SubmitUser) for Credential and Run User
3. Then try to access via direct-rdp with a user that is in the Domain Administrator group (as per the configured Rule Conditions)

Your previous rule would work well for RDP-Relay with a couple details changed:
1. Change Rule Conditions from 'Windows Direct Session' to 'RDP Session'
2. Configure the 'Run Hosts' to a specific server (agent name) or a host group that lists them.
Note: This rule would grant privileged access to the Administrator account for users through the MyAccess Console via RDP-Relay.
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: RDP access with PAM 3.2

tdharris;2479532 wrote:
The typical use case for 'Windows Direct Session' (Direct-RDP), is to allow with the Submit User credentials.
In other words, if the user has access directly in Windows/AD, then allow the session and begin auditing.

To configure this:
1. Add a 'SubmitUser' credential to the v3tsw00421 Windows Account Domain. Note: there is no space between the username. Also, in an upcoming release we are eliminating this pre-requisite step.
2. Change the cmdctrl rule to use this new 'SubmitUser' credential (i.e. v3tsw00421\SubmitUser) for Credential and Run User
3. Then try to access via direct-rdp with a user that is in the Domain Administrator group (as per the configured Rule Conditions)

Your previous rule would work well for RDP-Relay with a couple details changed:
1. Change Rule Conditions from 'Windows Direct Session' to 'RDP Session'
2. Configure the 'Run Hosts' to a specific server (agent name) or a host group that lists them.
Note: This rule would grant privileged access to the Administrator account for users through the MyAccess Console via RDP-Relay.


I followed your instructions at https://www.novell.com/support/kb/doc.php?id=7021908. At the moment, I am focused on Direct-RDP. In your documentation were instructions to add Administrator and SubmitUser credentials. What is the purpose of the Administrator credential? Why do we need to add the local Administrator password to the user credential? I want to authenticate and record the following types of sessions:
1. User logs in with their domain account.
2. User logs in with the domain administrator account.
3. User logs in with the local server administrator account.

Achieving #1 is done with the following rule:


Achieving #2 is done with the following rule:


Achieving #3 is done with the following rule:


As #3 can be achieved with the SubmitUser credential, what does adding the Administrator credential provide? Note that #3 was done without an Administrator credential.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP access with PAM 3.2

If your users know the local administrator account credentials then I suppose there is no reason. So none of these 3 rules are working in your environment? As this thread has gone on a while, I recommend opening up a service request through the Customer Center to troubleshoot the possible ways to configure Direct RDP use cases.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.