[PAM] RDP Application sessions swapping on PAM
Article ID: 196221
Updated On:
Products
Issue/Introduction
[Use Case]
Terminal Services License applied and hosting RDP Applications.
A Windows User Account is used by multiple Administrators and can open multiple sessions.
It was found that multiple RDP sessions are left in (disconnected) state when using PAM 3.4.0 and when next PAM user launches the RDP App with the same Windows account then is presented a list of the disconnected sessions to choose.
Or, if only 1 RDP session was in disconnected state then that session will be resumed by this user hence the session swap.
Policy
- Administratative Templates
- Windows Components
- Remote Desktop Services
- Remote Desktop Session Host
- Licensing
* Use the specified Remote Desktop license servers : Enabled (you need to specify which license server)
* Set the Remote Desktop licensing mode: Enabled (Per User)
Policy
- Administratative Templates
- Windows Components
- Remote Desktop Services
- Remote Desktop Session Host
- Connections
* Restrict Remote Desktop Services users to a single Remote Desktop Services session: Disabled
Environment
Release : 4.0.X / 4.1.X
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
If RDP App is hosted without the "Remote Desktop licensing mode" enabled then it is normal to see list of disconnected sessions to choose when you RDP using same windows account.
With "Remote Desktop licensing mode" enabled and license applied, the RDP session will close when you are disconnected from the RDP session.
Problem was the Transparent Login Agent was not closing the RDP session and leaving it as (Disconnected) state which allows resume.
This allowed other PAM users using the same Windows Account to resume these disconnected RDP sessions.
Resolution
Hotfix 3.4.0.08 addresses this issue so the RDP sessions are closed.
PAM 4.x works out of the box.
Feedback
