Cannot put Reason Required For Auto-Connect on Transparent Login account
Article ID: 104072
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
An RDP application performs Transparent Login to SQLDeveloper. We wish to require justification for using this application. If we set the SQLDeveloper account to Reason Required on Auto-Connect, no popup appears to ask for a reason, but the transparent login succeeds. It is as if the Password View Policy (PVP) option has no effect at all with Transparent Login. If we set the RDP account to Reason Required on Auto-Connect (not precisely what we want, but a close approximation for our immediate need), the popup appears as expected. After entering a justification, the service launches as expected.
This is working as designed. When the transparent login agent retrieves the target account password, the PVP is not evaluated for this secondary login.
Any PAM version up to 3.2 so far.
A PVP Reason Required for Auto-Connect policy associated with a target account has no effect during transparent login. All you can do is associate such a PVP with the account used for auto-connect.
Password View Policy works with Auto Login but does not work with Transparent Login since Auto Login injection of username and password are handled from Client side but Transparent Login injection of username and password are handled by XsuiteTLAgent.exe which is downloaded to the mapped virtual drive of the target end point windows machine. So there is no control on the client side during injection of username and password to the Remote Windows Application and as a result no PVP can be integrated with Secondary accounts.