When we disable some less secure ciphers for windows RDP connections we find that PAM can no longer connect. we did disable TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 but we did not disable TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 which based on the PAM manuals should be valid. (see https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-3/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/set-up-access-to-a-target-device/access-methods.html )
We also confirmed that the windows server supports TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 with powershell
PS C:\Users\Administrator> get-tlsCipherSuite | ft name
When you disable the cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 you are able to use TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 but you did not create or update your certificate in windows as a ECDSA certificate.
Release : 3.3, 3.4, 3.5