RDP servers are configured as members of a device group. The device group has AD as a credential source. Access policies are configured for each user against the device group, and the RDP access method has a user-specific account assigned for auto-logon. But most devices also have a common local account that should be available for auto-login. Users have custom roles with specific Credential Management user group assignments and are subject to product feature Dynamically Add Devices and Target Accounts to the Access Page Based on Target Group Membership. Thus PAM is expected to add the common account for autologon, and it does so for most devices, but not for all. There is no obvious difference in how the working and non-working devices and accounts are configured.

4.2 GA (4.2.0)

The problem devices had name and address configured in PAM with different case. E.g. the name was entered as MYPAMSERVER and the address as mypamserver.example.com. Generally this should not matter because device names should be case insensitive. But there was one place where a case sensitive comparison between a name and an address was done while adding target accounts dynamically, and some accounts were dropped from the access page because of the mismatch.

As a workaround, change device name or address to have the same case as the other.

The problem is fixed in PAM 4.2.1+, see the following item on page Resolved Vulnerabilities and Issues in 4.2.1:

33590740    DE586983    Inconsistent dynamic addition of target accounts for device access.