Trying to RDP to a Windows  2012 R2 or Windows 2016 R2, it does not work. Irrespective of whether we are specifying the account at login time or if this is automatically injected by PAM

In the logs the following error is reported:

NLA login was canceled or invalid credentials were entered. Deleting the file: XXX-0000043381-20180619140837917_RDP 

However, there is no problem with session recording, the ciphers and credentials are all up to date and they look the same as in any other server where it works

What may be the problem?

Windows 2012 R2 and Windows 2016/2019 R2 remote devices
Privileged Access Manager, all versions

 

This is due to the Encryption Oracle remediation policy not being defined in the remote Windows system. RDP uses CredSSP for which a vulnerability was described in CVE-2018-0886. This required patching of Windows and, in particular of CredSSP.

See https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea for further information.

Setting up the Encryption Oracle remediation policy as specified in the document mentioned will help overcome the problem. You need to choose the "Mitigated" option for allowing connection  through RDP to occur seamlessly. See the table at the end of the Microsoft document for an explanation of the different options.

On newer PAM releases you may see an error popup when you launch the RDP access method. This would happen automatically, if auto-logon is configured, or after providing credentials manually. The error message would be "An error occurred in NTLM handshake". The PAM client log file, logs.log, would show an error similar to the following:
2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132     com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]