Symantec Privileged Access Management

CA PAM RDP client credentials are not auto accepted when HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\fInheritAutoLogon is set to 0. The RDP Client displays the security banner when "OK" is clicked it does not logon automatically. When fInheritAutoLogon is set to 1, CA PAM will auto-login once "OK" is clicked on the security banner. Has anyone experienced this issue and found a work around?

Hello Michael, I couldn't find any previous report of this problem. I wonder what is the use case behind it. Why would you want this setting to be 0 but auto-login to work at the same time? Isn't the setting saying you don't want auto-login? When I set  fInheritAutoLogon=0 on a target device and connect with the native mstsc client, I am also asked for the credentials (user name and password, not just password) again after acknowledging the warning.

The use case is as follows:

Server admins are allowed to log into the end point using domain credentials via an RDP client, however security policy requires client credential inheritance be disabled. The break glass (built-in local admin) account is in PAM in case server loses connectivity to domain. The password view policy requires check-in/check-out. In testing we ended up in a loop where we can not view the password and still enter it into the RDP session. We would like that if the break glass needs to be used the admins would never need to know the password. We understand that it may require modifying our security policies to allow  fInheritAutoLogon=1, but would like to explore other options first.

When users log on with their domain credentials via an RDP client, don't they have the same problem that they have to provide credentials a second time after acknowledging the warning? That's what I observed with PAM or the native RDP client. In that case it would be a Windows security question rather than a PAM question, and you could check with Microsoft on alternatives. The only potential option I can see in PAM would be a transparent login configuration for a jump server on which you launch the native RDP client and let PAM's transparent login feature provide username and password. It should be able to handle the two login screens, but I have not tested it.

Mike, that "loop" you refer to is due to the fact that Policy is configured for both password viewing and auto-connect.

When a password is "checked-out" for viewing, it cannot be used simultaneously for auto-connect purposes in PAM until the password is checked-in;

Same is true for the inverse, if fInheritAutoLogon were set to 1 then we could auto-connect via PAM - but no one would be able to view the password simultaneously until the auto-connect session is terminated and the password is checked back in.

So to get around this issue, we re-configured the policy: we removed only the target account from the RDP Access method (but left RDP selected) whilst leaving Password viewing unchanged.

In so doing, users can now check-out the password for viewing and use PAM's RDP applet to connect and record the session.

We may be able to add the member servers to a device group and enable the options to "Provide Credentials for Always Prompt of Password" on the group.