search cancel

How to make RDP through CA PAM work with CredSSP and AD Protected User Groups

book

Article ID: 199786

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

CA PAM 3.4 has been deployed, but during testing it was highlighted that both CredSSP, as specified in:

https://support.microsoft.com/ca-es/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

as well as the Protected AD Groups feature, as outlined in:

However, CredSSP is a required feature of the environment to be deployed, especially with respect to RDP to Windows 2019 servers.

Is there any way to have both features work in PAM while waiting for support for both in the RDP applet coming with the product ?

Environment

PRIVILEGED ACCESS MANAGEMENT, version 3.4.X

Resolution

The solution is to use an RDP Proxy service launched directly from the client or from the CA Agent to connect to the remote machine configured with CredSSP and/or Protected Groups.

The main difference between this scenario and the "native" CA PAM RDP connection is that using the RDP Proxy or the CA Agent, no CA PAM applet is launched: the appliance provides tunneling for connection between the local computer and the remote machine, thus eliminating the need for support of these features in the CA PAM RDP Applet.