Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  RDP session not working: we get an error message saying "Can´t decide access type"

    Broadcom Employee
    Posted Jun 05, 2019 10:22 AM
    Edited by Maria Celeste Catena Jun 06, 2019 04:50 AM

    Hi ,

    I'm working on an incident where the RDP session is not working on the Primary Sites but it does in the Secondary Sites.
    When user attempts to start an RDP session, the following error is displayed: "Can´t decide access type".

    In the php_error log I see the following error:

    #1 /var/www/htdocs/uag/services/main/business/impl/AccessServiceImpl.php(1726): AccessServiceImpl->updateSessionRecordingFlags(Array, Array)

    #2 [internal function]: AccessServiceImpl->getTaskParams('7001', '8', 'RDP', '', '', '', '', '')

    #3 /var/www/htdocs/uag/services/main/controller/ServiceController.php(311): ReflectionMethod->invokeArgs(Object(AccessServiceImpl), Array)

    #4 /var/www/htdocs/uag/services/main/controller/ServiceController.php(413): ServiceController->__handleRequest(false)

    #5 /var/www/htdocs/uag/web/serviceController.php(162): ServiceController->handleRequest(false)

    #6 {main}

     [ /var/www/htdocs/uag/services/main/exceptions/GKException.php : 50 ]

    [ 11:42:03 06/04/19 ] [ error ] [Request-5cf6590bb3a23]: Error occurred during service method invocation. Exception Follows. [ /var/www/htdocs/uag/services/main/controller/ServiceController.php : 320 ]

    [ 11:42:03 06/04/19 ] [ error ] [Request-5cf6590bb3a23]: Error Code: -1: Get Error: could not find field: ksl_logging_file in <pam_server> or configuration table 

     at /var/www/htdocs/uag/services/main/common/Configuration.php: 360

    Error Code: -1: #0 /var/www/htdocs/uag/services/main/business/impl/AccessServiceImpl.php(5019): Configuration->get('ksl_logging_fil...')

    I found that ksl_logging_file is required when the session recording is enable, but this services it not enable nand configured.

    Release: 3.3
    Do you have any idea?

    Thanks,

    Regards,



  • 2.  RE: RDP session not working: we get an error message saying "Can´t decide access type"

    Broadcom Employee
    Posted Jun 11, 2019 05:22 AM
    Fixed:
    PAM compares the ksl_logging_file and gsr_logging_file values in the configuration_f table against the existence of the ksl_filelog file.

    The kls record is related to the session recording. PAM search for the value of that record. If value is N, in means that session recording is disable. If value is Y, it means that session recording is enable.
    But on this case the ksl_logging_file record was not existing in the configuration_f table.
    ###### [Resolution] ###### 
    1) Go to Configuration :: Logs :: Session Recording
    2) Check in the option "Text based recording to the syslog server".
    3) Click on Update.
    4) Ensure that the change is saved and uncheck the option "Text based recording to the syslog server".
    5) Click on Update.
    Original Message


  • 3.  RE: RDP session not working: we get an error message saying "Can´t decide access type"

    Posted Jun 12, 2019 08:57 AM
    I just recently ran into a similar issue with SSH Auto Connect.

    the issue in my case turned out to be that the user has been granted a custom Credential Manager Group whose Role was missing a required CM privilege.

    in my case the missing privilege was Search Target Application.

    I would check the following to confirm whether your case is similar:
    1. Check whether the user has been assigned the "Password Manager" PAM Role and a Custom (aka not ootb) CM Group / Role.
    2. Then raise the catalina logging level to info and have the user recreate the issue.
    3. Check the catalina log for recent errors 
        in my case it was
        PAM-CM-0553: Authorization Failed. User <UPN> (userid) unauthorized for command searchTargetApplications does not have permission for this action.

    If that is what turns out to be the issue, then it's a known feature of the product. When a regular user has been granted a CM Role and the user also has Policies assigned to her/him then the CM privileges take precedence and must be accurate and complete for everything the user needs to be able to do in PAM.
     
    Hope that helps.


    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------

    Original Message


  • 4.  RE: RDP session not working: we get an error message saying "Can´t decide access type"

    Broadcom Employee
    Posted Jun 12, 2019 10:15 AM

    Hi Sebastiano!
    The root cause was that it was missing a configuration record in the configuration table. Once we checked the checkbox "Text based recording to the syslog server", this record was inserted in the configuration table. Then we un-checked it and the value of the parameter changed to "N" (Inactive"), which is fine on this case because no session recording was configured.

    But is good to know your case as well. 

    Thanks,

    Regards,

    Celeste 


    Original Message