I just recently ran into a similar issue with SSH Auto Connect.
the issue in my case turned out to be that the user has been granted a custom Credential Manager Group whose Role was missing a required CM privilege.
in my case the missing privilege was Search Target Application.
I would check the following to confirm whether your case is similar:
1. Check whether the user has been assigned the "Password Manager" PAM Role and a Custom (aka not ootb) CM Group / Role.
2. Then raise the catalina logging level to info and have the user recreate the issue.
3. Check the catalina log for recent errors
in my case it was
PAM-CM-0553: Authorization Failed. User <UPN> (userid) unauthorized for command searchTargetApplications does not have permission for this action.
If that is what turns out to be the issue, then it's a known feature of the product. When a regular user has been granted a CM Role and the user also has Policies assigned to her/him then the CM privileges take precedence and must be accurate and complete for everything the user needs to be able to do in PAM.
Hope that helps.
------------------------------
Services Architect
HCL Technologies Ltd
------------------------------
Original Message:
Sent: 06-05-2019 10:08 AM
From: Maria Celeste Catena
Subject: RDP session not working: we get an error message saying "Can´t decide access type"
Hi ,
I'm working on an incident where the RDP session is not working on the Primary Sites but it does in the Secondary Sites.
When user attempts to start an RDP session, the following error is displayed: "Can´t decide access type".
In the php_error log I see the following error:
#1 /var/www/htdocs/uag/services/main/business/impl/AccessServiceImpl.php(1726): AccessServiceImpl->updateSessionRecordingFlags(Array, Array)
#2 [internal function]: AccessServiceImpl->getTaskParams('7001', '8', 'RDP', '', '', '', '', '')
#3 /var/www/htdocs/uag/services/main/controller/ServiceController.php(311): ReflectionMethod->invokeArgs(Object(AccessServiceImpl), Array)
#4 /var/www/htdocs/uag/services/main/controller/ServiceController.php(413): ServiceController->__handleRequest(false)
#5 /var/www/htdocs/uag/web/serviceController.php(162): ServiceController->handleRequest(false)
#6 {main}
[ /var/www/htdocs/uag/services/main/exceptions/GKException.php : 50 ]
[ 11:42:03 06/04/19 ] [ error ] [Request-5cf6590bb3a23]: Error occurred during service method invocation. Exception Follows. [ /var/www/htdocs/uag/services/main/controller/ServiceController.php : 320 ]
[ 11:42:03 06/04/19 ] [ error ] [Request-5cf6590bb3a23]: Error Code: -1: Get Error: could not find field: ksl_logging_file in <pam_server> or configuration table
at /var/www/htdocs/uag/services/main/common/Configuration.php: 360
Error Code: -1: #0 /var/www/htdocs/uag/services/main/business/impl/AccessServiceImpl.php(5019): Configuration->get('ksl_logging_fil...')
I found that ksl_logging_file is required when the session recording is enable, but this services it not enable nand configured.
Release: 3.3
Do you have any idea?
Thanks,
Regards,