search cancel

Unable to RDP Windows 2019 servers from within PAM


Article ID: 189457


Updated On:


CA Privileged Access Manager (PAM)


When trying to RDP the Windows 2019 devices from within PAM the following error message arises:

"An error occurred in NTLM handshake"


Product: Privileged Access Manager.
Version: 3.3.x, 3.4.x and 4.x


A likely cause for this issue to occur is related to the following GPO policy settings: 

  • Encryption Oracle Remediation: Enabled.
    • Protection Level: Force Updated Clients.

just like shown in the below image:

When you do have the above setting, if Microsoft releases a new RDP Client in any security push to the server in question, our internal RDP Client will not be able to work anymore because we aren't on the latest.

Our recommendation is to 

  • Encryption Oracle Remediation: Enabled.
    • Protection Level: Mitigated.

If your company security policy is to only run only with:

  • Protection Level: Force Updated Clients.

Than you can no longer use our internal RDP Applet.   You will have to use the local RDP Application on the requesting user's workstation as a PAM TCP/UDP Service:

Nonetheless; if the RDP (Mstsc.exe) has not been patched on the remote workstation that the PAM Client is executing on, you will get the same errors, because you are not at the latest RDP Client Microsoft offers.