CA PAM Access Agent doe not create tunnel for RDP


Article ID: 195045


Updated On:


CA Privileged Access Manager (PAM)


The CA PAM Agent has been set up to use RDP services in the CA PAM machine: the goal is to connect a remote windows machine using the tunnel in PAM. Let's imagine the remote Windows machine has IP addres

Activating the RDP service in the agent, a message appears indicating that the service has been activated. 

The way the CA PAM Agent works, when doing rdp to the endpoint (that is, RDP to, the connection is redirected to a local loopback address and random port (e.g. which, in turn, creates a tunnel through PAM to the remote Window system. In this way, direct access to the remote system never happens.

For this particular use case, however, this does not work: if after activating the service, connection is done to the remote machine (e.g. RDP to we do not see connection established to the loopback address (e.g, but directly to the remote system. Autologin does not work either, since connection is not going through PAM.

If we check the CA PAM Agent logs for the random port attributed to the service and we verify with netstat -an | findstr 127.0.0, we can see that indeed there is an active port listening on the address where the tunnel is established, and if we connect via RDP to that loopback address (e.g. RDP we really get access to the remote Windows system.

So what seems to fail is the redirection from the remote windows service address to the local loopback address.

Checking the local event viewer of the Windows client machine, we can see an error relative to the driver:

The CAPAMAgentCallouts service failed to start due to the following error:
You cannot verify the digital signature of this file on Windows. A recent hardware or software change might have an incorrectly signed or corrupted file or a malicious software file from an unknown source.

Since it complains about signature, disabling checking driver signature (bcdedit /set nointegritychecks on) this sees to work fine.


This is likely due to a problem with the certificate of the CA PAM Agent installed drivers and executables.

In particular check the certificate coming with


C:\Program Files\CA Technologies\CA PAM Agent\CAPAMAgent.exe


It must be a non-expired, valid certificate for the agent to work properly


Release : 3.3.X and 3.4.X



If the certificate coming with your package and binaries therein is expired, try to download the CA PAM Agent again from the latest version of PAM available, after uninstalling it completely.


Should the issue persist and/or the binaries not be updated with the latest (or at least a valid) certificate, please report the issue to Broadcom Support.