This is not the first time a client has voiced concerns with the user-friendliness and level of productivity the PAM Client - RDP Applet affords users when the RDP session is locked due to user-inactivity.
When a auto-connect session is 'locked' due to user inactivity / saver timeout, users must currently disconnect and re-connect for the RDP session to auto-RE-connect to the user's previously established RDP session. A client is voicing their discontent with that product behavior, as it will cause their users to complain about having to reconnect to their RDP session every 15 minutes or whatever.
From a more technical standpoint, this behavior can lead to multiple check-ins/check-outs which may lead to multiple password changes for accounts (PVP-COV based) which can be problematic, especially in cases in which a domain password policy prevents account passwords from changing more than once in a 24 hr window (MinAge=1).
As a result, the client would like to understand if there is a way to force pam to re-inject the credentials without disconnecting the active (albeit, locked) RDP session without triggering a check-in or change-on-view?
Is there a (information security) counter-argument for which clients wouldn't or shouldn't want that feature?
Also, they are curious as to what other clients may be doing in this case.
thanks in advance.