Impact to PAM by using Network Level Authentication (NLA) on systems

book

Article ID: 132326

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

Is there any impact on CA-PAM when Network Level Authentication(NLA) is implemented on Windows servers?

Environment

Note:  Testing was done doing PAM 3.2.4.  The results may vary if an older version of PAM is used.

Resolution

There appears to be no impact on PAM when NLA is configured on a Windows Server.  Initial tests involved Windows 2012 and 2016.  Both servers were deployed with NLA already, and the RDP applet had absolutely no problem connecting, and logging in.  Testing was then performed with a Windows 2008 server.  The Security Layer field was set to RDP Security Layer, with the NLA check box grayed out. PAM was configured for Autoconnect and it worked in this mode.  The Security Layer was changed to SSL(TLS 1.0) and the box checked to allow connections only from systems running NLA.  Autoconnect still worked with no problem. Lastly, the Security Layer was changed to Negotiate and the box was still checked. Autoconnect still worked.  In short, all 3 Security Layer settings worked, indicating that there is no impact on PAM's ability to make RDP connections by configuring the server to require NLA.  

Note:

Customers reported issues where they are unable to RDP to the target server when NLA is enabled which had been working fine before.
That usually happened after applying OS updates (either on the target server or their domain controller) and rebooting the target server resolved the problem.
When this condition occurs, a direct rdp using mstsc also fails reporting the domain controller cannot be reached, this is not PAM issue.

 

Additional Information

More details on this topic may be found in the PAM documentation.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-3/integrating/configure-login-options-for-windows-target-devices.html