CA PAM Access Agent doe not create tunnel for RDP

book

Article ID: 195045

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The CA PAM Agent has been set up to use RDP services in the CA PAM machine: the goal is to connect a remote windows machine using the tunnel in PAM. Let's imagine the remote Windows machine has IP addres 123.134.77.33

Activating the RDP service in the agent, a message appears indicating that the service has been activated. 

The way the CA PAM Agent works, when doing rdp to the endpoint (that is, RDP to 123.134.77.33:3389), the connection is redirected to a local loopback address and random port (e.g. 127.0.0.200:25432) which, in turn, creates a tunnel through PAM to the remote Window system. In this way, direct access to the remote system never happens.

For this particular use case, however, this does not work: if after activating the service, connection is done to the remote machine (e.g. RDP to 123.134.77.33:3389) we do not see connection established to the loopback address (e.g 127.0.0.200:25432), but directly to the remote system. Autologin does not work either, since connection is not going through PAM.

If we check the CA PAM Agent logs for the random port attributed to the service and we verify with netstat -an | findstr 127.0.0, we can see that indeed there is an active port listening on the address where the tunnel is established, and if we connect via RDP to that loopback address (e.g. RDP 127.0.0.200:25432) we really get access to the remote Windows system.

So what seems to fail is the redirection from the remote windows service address to the local loopback address.

Checking the local event viewer of the Windows client machine, we can see an error relative to the driver:

The CAPAMAgentCallouts service failed to start due to the following error:
You cannot verify the digital signature of this file on Windows. A recent hardware or software change might have an incorrectly signed or corrupted file or a malicious software file from an unknown source.

Since it complains about signature, disabling checking driver signature (bcdedit /set nointegritychecks on) this sees to work fine.

Cause

This is likely due to a problem with the certificate of the CA PAM Agent installed drivers and executables.

In particular check the certificate coming with

C:\windows\System32\CAPAMAgentService.exe

C:\Program Files\CA Technologies\CA PAM Agent\CAPAMAgent.exe

C:\Windows\System32\drivers\CAPAMAgentCalloutDriver.sys

It must be a non-expired, valid certificate for the agent to work properly

Environment

Release : 3.3.X and 3.4.X

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

If the certificate coming with your package and binaries therein is expired, try to download the CA PAM Agent again from the latest version of PAM available, after uninstalling it completely.

 

Should the issue persist and/or the binaries not be updated with the latest (or at least a valid) certificate, please report the issue to Broadcom Support.