ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to make RDP through CA PAM work with CredSSP and AD Protected User Groups


Article ID: 199786


Updated On:


CA Privileged Access Manager (PAM)


CA PAM 3.4 has been deployed, but during testing it was highlighted that both CredSSP, as specified in:

as well as the Protected AD Groups feature, as outlined in:

However, CredSSP is a required feature of the environment to be deployed, especially with respect to RDP to Windows 2019 servers.

Is there any way to have both features work in PAM while waiting for support for both in the RDP applet coming with the product ?




The solution is to use an RDP Proxy service launched directly from the client or from the CA Agent to connect to the remote machine configured with CredSSP and/or Protected Groups.

The main difference between this scenario and the "native" CA PAM RDP connection is that using the RDP Proxy or the CA Agent, no CA PAM applet is launched: the appliance provides tunneling for connection between the local computer and the remote machine, thus eliminating the need for support of these features in the CA PAM RDP Applet.