Highlighted
Valued Contributor.
Valued Contributor.
371 views

RDP session closed unexpectedly

Hi everyone.

In a version of PAM 3.6 an RDP session is opened in which it closes unexpectedly when entering the session or does not load the session and only tries to connect it.

When trying to enter the server outside the PAM, you also log out after a few seconds, which after several entries allows you to stop the PAM service.

After reviewing the agent log the following is detected:

Wed Jan 22 12:02:23 2020, Info, Audited Video file = '347047ef-822d-6c46-af20-136588346240_0000000003.webm'
Wed Jan 22 12:02:24 2020, Info, File 'C:\Program Files\NetIQ\npum\service\.work\347047ef-822d-6c46-af20-136588346240_0000000003.webm' send to audit manager.
Wed Jan 22 12:02:24 2020, Info, temp video file deleted: 'C:\Program Files\NetIQ\npum\service\.work\347047ef-822d-6c46-af20-136588346240_0000000003.webm'
Wed Jan 22 12:03:43 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (0ms)
Wed Jan 22 12:03:43 2020, Info, regclnt getSessionCache client:sqrobspeicep rc:0 status:0 (0ms)
Wed Jan 22 12:03:43 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (31ms)
Wed Jan 22 12:04:01 2020, Error, Invalid authentication token signature
Wed Jan 22 12:04:01 2020, Info, regclnt setSessionCache client:sqrobspeicep rc:0 status:0 (31ms)
Wed Jan 22 12:04:01 2020, Info, Monitor audit session for: S-1-5-21-3817306811-296713049-1526355255-206500(b07f63cb-1171-4d66-81f4-5a1533af3ed0)
Wed Jan 22 12:04:01 2020, Info, rexec auditSession client:sqropamprod rc:0 status:0 (219ms)
Wed Jan 22 12:04:01 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (15ms)
Wed Jan 22 12:04:01 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (16ms)
Wed Jan 22 12:04:21 2020, Info, Session match found for S-1-5-21-3817306811-296713049-1526355255-206500(b07f63cb-1171-4d66-81f4-5a1533af3ed0)
Wed Jan 22 12:04:21 2020, Info, Creating named pipe (\\.\pipe\spf-6giefvpz) for SCRNCAPT process communications channel
Wed Jan 22 12:04:21 2020, Info, Creating process (C:\Program Files\NetIQ\npum\bin\scrncapt.exe) - Try count = 1
Wed Jan 22 12:04:21 2020, Info, Created scrncapt process for session = 3
Wed Jan 22 12:04:21 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe) - Try count = 1
Wed Jan 22 12:04:21 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe process for session = 3
Wed Jan 22 12:04:21 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe) - Try count = 1
Wed Jan 22 12:04:21 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe process for session = 3
Wed Jan 22 12:05:05 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe) - Try count = 1
Wed Jan 22 12:05:05 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulibexe.exe process for session = 3
Wed Jan 22 12:05:05 2020, Info, Creating process (C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe) - Try count = 1
Wed Jan 22 12:05:05 2020, Info, Created C:\Program Files\NetIQ\npum\service\local\rexec\bin\nvlaulib64exe.exe process for session = 3
Wed Jan 22 12:05:08 2020, Info, Creating named pipe (\\.\pipe\spf-fiecyf02) for SCRNCAPT process communications channel
Wed Jan 22 12:05:08 2020, Info, Creating process (C:\Program Files\NetIQ\npum\bin\scrncapt.exe) - Try count = 1
Wed Jan 22 12:05:08 2020, Info, Created scrncapt process for session = 3
Wed Jan 22 12:05:14 2020, Info, regclnt modSessionCache client:sqrobspeicep rc:0 status:0 (46ms)
Wed Jan 22 12:05:14 2020, Error, state: 6 :: Failed to write STOP commanddetails to pipe for file = b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm
Wed Jan 22 12:05:14 2020, Error, rd_session_change line: 2796 rv=720232:The pipe is being closed.
Wed Jan 22 12:05:14 2020, Info, Audited Video file = 'b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm'
Wed Jan 22 12:05:14 2020, Info, File 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm' send to audit manager.
Wed Jan 22 12:05:14 2020, Info, Audited Video file = 'b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000001.webm'
Wed Jan 22 12:05:14 2020, Info, temp video file deleted: 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000002.webm'
Wed Jan 22 12:05:15 2020, Info, File 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000001.webm' send to audit manager.
Wed Jan 22 12:05:15 2020, Info, temp video file deleted: 'C:\Program Files\NetIQ\npum\service\.work\b07f63cb-1171-4d66-81f4-5a1533af3ed0_0000000001.webm'
Wed Jan 22 12:05:15 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (16ms)
Wed Jan 22 12:05:15 2020, Info, regclnt modSessionCache client:sqrobspeicep rc:0 status:0 (47ms)
Wed Jan 22 12:05:15 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (47ms)
Wed Jan 22 12:05:15 2020, Info, rexec logMsg client:sqropamprod rc:0 status:0 (16ms)
Thu Jan 23 06:37:33 2020, Info, Checking service registration for sqrobspeicep (Novell Privileged User Manager)
Thu Jan 23 06:37:33 2020, Info, valid from Wed Jan 22 00:39:27 2020 to Fri Jan 24 01:26:27 2020 (registry offset 40 seconds)
Thu Jan 23 06:37:33 2020, Info, Rechecking service registration in 9 hours
Thu Jan 23 16:01:40 2020, Info, Checking service registration for sqrobspeicep (Novell Privileged User Manager)
Thu Jan 23 16:01:40 2020, Info, valid from Wed Jan 22 00:39:27 2020 to Fri Jan 24 01:26:27 2020 (registry offset 41 seconds)
Thu Jan 23 16:01:40 2020, Info, Registration successful for sqrobspeicep (Novell Privileged User Manager) to registry sqropamprod
Thu Jan 23 16:01:40 2020, Info, valid from Thu Jan 23 16:02:22 2020 to Sat Jan 25 16:18:33 2020
Thu Jan 23 16:01:40 2020, Info, PAM service is already in non-FIPS mode.
Thu Jan 23 16:01:40 2020, Info, Rechecking service registration in 23 hours
Fri Jan 24 10:51:02 2020, Info, distrib listUpdates client:sqropamprod user:admin@sqropamprod(10.160.9.201) rc:0 status:0 (109ms)

Is there anything that can be done so you don't close the sessions?

and

Why are you having problems with that video to remove it and send it?

I hope you can support me as it is a problem that already occurred in 3 agents.

 

Thanks and greetings to all.

0 Likes
4 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: RDP session closed unexpectedly

What does the Reporting console show for the login attempt?

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Re: RDP session closed unexpectedly

Hi good day.

I enclose an image of the report, I appreciate your support.

Regards.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: RDP session closed unexpectedly

So it looks like Command Control is authorizing the session based on your screenshot, so perhaps there is some problem with auditing the session so that the session is eventually closed due to it's inability to audit.. I'd recommend opening a Service Request with Micro Focus Customer Support to help investigate the cause.

Some other things to try / look at:

- Setting the unifid.log on the Agent to DEBUG may help reveal potentially some errors in the audit being established.

- It looks like there is video capture enabled for the session, so perhaps you could try the session with video capture disabled to see if there is any difference in how long the session lasts before it is disconnected.

- What version of Windows is the Agent running on?
0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Re: RDP session closed unexpectedly

I appreciate the recommendations, most likely if you do, as for the question of the Windows version is the following:
Windows Server 2016 64 bits

Thanks and regards

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.