I can't RDP to a remote Windows 2016 or Windows 2012. Why is this so ?
Article ID: 108652
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
Trying to RDP to a Windows 2012 R2 or Windows 2016 R2, it does not work. Irrespective of whether we are specifying the account at login time or if this is automatically injected by PAM
In the logs the following error is reported:
NLA login was canceled or invalid credentials were entered. Deleting the file: XXX-0000043381-20180619140837917_RDP
However, there is no problem with session recording, the ciphers and credentials are all up to date and they look the same as in any other server where it works
What may be the problem ?
Windows 2012 R2 and Windows 2016 R2 remote devices CA PAM 2.8.X an later
This is due to the Encryption Oracle remediation policy not being defined in the remote Windows system. RDP uses CredSSP for which a vulnerability was described in CVE-2018-0886. This required patching of Windows and, in particular of CredSSP.
Setting up the Encryption Oracle remediation policy as specified in the document mentioned will help overcome the problem. You need to choose the "Mitigated" option for allowing connection through RDP to occur seamlessly. See the table at the end of the Microsoft document for an explanation of the different options.
On newer PAM releases you may see an error popup when you launch the RDP access method. This would happen automatically, if auto-logon is configured, or after providing credentials manually. The error message would be "An error occurred in NTLM handshake". The PAM client log file, logs.log, would show an error similar to the following: 2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132 com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]