search cancel

Cannot put Reason Required For Auto-Connect on Transparent Login account


Article ID: 104072


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


An RDP application performs Transparent Login to SQLDeveloper. We wish to require justification for using this application. If we set the SQLDeveloper account to Reason Required on Auto-Connect, no popup appears to ask for a reason, but the transparent login succeeds. It is as if the Password View Policy (PVP) option has no effect at all with Transparent Login. If we set the RDP account to Reason Required on Auto-Connect (not precisely what we want, but a close approximation for our immediate need), the popup appears as expected. After entering a justification, the service launches as expected.


Any PAM version up to 3.2 so far.


This is working as designed. When the transparent login agent retrieves the target account password, the PVP is not evaluated for this secondary login.


A PVP Reason Required for Auto-Connect policy associated with a target account has no effect during transparent login. All you can do is associate such a PVP with the account used for auto-connect.

Additional Information

Password View Policy works with Auto Login but does not work with Transparent Login since Auto Login injection of username and password are handled from Client side but Transparent Login injection of username and password are handled by XsuiteTLAgent.exe which is downloaded to the mapped virtual drive of the target end point windows machine. 
So there is no control on the client side during injection of username and password to the Remote Windows Application and as a result no PVP can be integrated with Secondary accounts.