Limiting logon to computers through AD does not worm

book

Article ID: 126477

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We are using some domain user for RDP services configurations in PAM, all works fine, but now, in order to improve security during the authentication process, we are forcing these domain users to be able to log on only to specific workstations using the Logon To: configuration paramenter of Microsoft Active Directory.

<Please see attached file for image>

User-added image


However, if we try to access the computers from CA PAM using RDP an error regarding user authentication is displayed

<Please see attached file for image>

User-added image

indicating that the password has expired and requires changing, even though it is OK.

Cause

If you want to use the Log On To setting, this refers to the end users workstation and not the target workstation you are connecting to 

When you do RDP, Microsoft checks the Log On To list to see if you can login. When the Target device is listed, the user will be granted local login access (console or direct keyboard/monitor access), but RDP from anywhere will fail. 

In order to login via RDP you need to put the host where you will be initiating the Log On FROM (so, even though the Tab says Log On 'To', in this case we need to specify the workstation you are logging in 'FROM') in the list. This means your local workstation where you are launching MSTSC or PAM sessions from. 
  • If you put the Target device, this wont work. 
  • Ifyou put the PAM server address since access is "routed through pam"  this will not work either because PAM is acting as a tunnel and so it just forwards the log in info: it doesn't repackage it with its hostname. 

If you want to log in to computer1, computer2 and computer3 alone, then the only possible way of limiting it would be to maybe filter that through firewall in the machines themselves, as by behaviour MS will be looking at the machine initiating the connection. 

Environment

CA PAM all versions

Resolution

Either specify in the Log on To the local workstations or use a altogether different method to limit connections to given servers

Attachments

1558690256482000126477_sktwi1f5rjvs16g7t.png get_app
1558690253507000126477_sktwi1f5rjvs16g7s.png get_app