CA PAM Support for CredSSP

book

Article ID: 187142

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Customer has deployed in many of their final Windows devices CredSSP as described in Microsoft's CVE-2018-0866.

After doing so and Setting the Encryption Oracle Remediation policy setting "Force Updated Clients" according to , https://support.microsoft.com/ca-es/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018  in several of their Windows systems they are not able to log in to any of these systems and they are receiving errors like the following:

2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132 com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]

Cause

This is due to the having set "Force Updated Clients" for the Encryption Oracle Remediation policy. This is not supported by our RDP applet

Environment

CA PRIVILEGED ACCESS MANAGEMENT, all versions

Resolution

Set Encryption Oracle Remediation policy setting to "Mitigated" for those systems where CredSSP has been deployed and a connection is required from PAM

Additional Information

Please note:  you can use the setting "Force Updated Clients" setting in PAM 3.4.x - but instead of adopting our embedded RDP Client.

You can use the new functionality of a RDP Proxy, which we adopt/utilize any local RDP Client on the user's desktop.

Please see the following documentation\video on this:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4/release-information/new-features-and-enhancements-in-3-4.html#concept.dita_97029b778cfd380e0edca2b1b71f2be6a0289cf2_RDPProxy