I working with PAM 3.0.2 and i have create some target application with PROXY AGENT.
when I create the target accounts, they validate against the vault and the endpoints and they are validated correctly, but when the user tries to do a rdp with the local account, it generates the error of the attached image
clarifying that for the Proxy - windows domain accounts the rdp sessions work perfectly
Are you able to login to the server directly with the local account over RDP?
Yes, the account have similar rights that the local account administrator and worked fully from rdp session of Windows 10
Hi Julian, Did you make progress with this? As Trevor's reply suggests, this would be expected if the local account was not a member of the Remote Desktop Users user group.
CA Support and me are working in this case and we are evaluate some options, the proxy version installed, the PAM system log and the different Windows logs that manage the event viewer but nothing tells us that it could be the error.
Note: The proxy working perfectly with the configuration "Proxy domain account" and only with the local account administrator, the other local accounts do not work despite having the same permissions as the administrator
The CA PAM Client log display the next inf when the RDP session fail
2018-02-02 16:48:25 INFO - syserr.write(?:?) [PAM Access Agent-3]2018-02-02 16:48:30 ERROR - Can't read fully buffer : 8 for: Thread[PAM Access Agent-3,5,main] used: TcpHandler ( com.ca.xsuite.app.rdp3.client.handler.ClientTLSStreamHandler@5f13bbce,socket = Socket[addr=/127.0.0.200,port=43629,localport=41540] state: isInputShutdown: true isOutputShutdown: true written: 0 ) com.ca.xsuite.app.rdp3.core.exception.TlsAlertException: Internal TLS error, this could be an attack com.ca.xsuite.app.rdp3.client.handler.ClientTLSStreamHandler.error(?:?) [PAM Access Agent-3]2018-02-02 16:48:30 ERROR - Application Error raised during connection process or inside main loop. The logon attempt failed.The credentials that were used to connect to server did not work. com.ca.xsuite.app.rdp3.client.app.RDesktop.error(?:?) [PAM Access Agent-3]
At the endpoint the event viewer trace the error of the picture
Any idea to this problem?
Hi, the denied login shows that a domain account was used with domain name ACUEDUCTO.RED. My guess is that the Windows proxy target application has this domain configured. It shouldn't if it's meant to manage local accounts.
Thanks, your answer it correct, the local account had the domain checkbox marked and this was the error. just uncheck it was enough it works perfectly.
There is an additional procedure for accounts managed with local proxy account to perform self-discovery of accounts. currently does not generate error but does not discover any account