Symantec Privileged Access Management

 View Only

Tech Tip - CA Privileged Identity Manager: ObserveIT - You are not authorized to view this session

  • 1.  Tech Tip - CA Privileged Identity Manager: ObserveIT - You are not authorized to view this session

    Posted Jan 27, 2016 08:17 AM

    CA Privileged Identity Manager Tech Tip by Renato Pioker, Support Engineer for January 27th, 2016

     

    Sometimes you may experience the error "You are not authorized to view this session" while trying to playback a recorded session for some Shared Account Manager account. This error is usually related to permissions on the client machine - the machine from where the remote session was called.

     

    The ObserveIT component (which is responsible by the Session Recording feature) needs a few details to work properly:

     

    On the client machine:

    1) The user that is logged in to the client machine needs R/W permissions on C:\TEMP and on ObserveIT Agent install folder (usually C:\Program Files (x86));

    2) The PIM and ObserveIT URLs must be on Trusted Sites zone, and this zone must be set up with relaxed permissions;

    3) The user that is logged in to the client machine needs permissions to be able to, from Internet Explorer, inject a configuration to the Windows Installer process while installing/configuring the ObserveIT ActiveX agent.

     

    How it works:

     

    1) A user logs in to the PIM Portal;

    2) This user asks PIM to open a remote session (RDP, for example) to a privileged account;

    3) Internet Explorer installs the PIM ActiveX;

    4) Internet Explorer installs the ObserveIT ActiveX Agent;

    5) Internet Explorer injects the ObserveIT URL to the ObserveIT ActiveX Agent configuration;

    6) PIM ActiveX calls ObserveIT ActiveX to start recording;

    7) PIM ActiveX calls the remote session program (mstsc.exe, for example) to open the remote session;

    8) The remote session starts, and the session recording takes place;

    9) The user finishes their work on the remote session and closes it;

    10) The recording stops and then it is uploaded to ObserveIT server;

    11) The user checks-in the privileged password.

     

    A good way to validate if Internet Explorer is able to configure the ObserveIT ActiveX Agent is to start internet Explorer as Admin before opening a remote session with recording active. If this session was recorded OK, and without opening IE as Admin the recording does not work, then you might have a permission issue. Sometimes the session recording continues to work OK after a single run of IE as Admin (by right-clicking IE and selecting "Run as Administrator").