Configuring Protected Users to rotate passwords and log in to remote Windows servers in CA PAM
Article ID: 420183
Updated On:
Products
Issue/Introduction
It is becoming quite commonplace in organizations, to use the Windows Protected User group to provide enhanced security for log in
This poses some challenges for CA PAM as Protected users require Kerberos authentication. This is a feature which has been available from versions 4.1.X of the product, and there is a KB which explains how this must be configured so that CA PAM can rotate the passwords of accounts in the Protected Users group
However in most organizations these accounts must be used to perform autologin to remote workstations, so the question comes how to configure this in CA PAM and what options there are
Environment
CA PAM all versions above 4.1.X
Resolution
There is no support for logging in with Protected Users in the RDP Applet, but ever since versions 4.2 there is the support for Kerberos KDC only for RDP Proxy, so this can be used to log in to a machine using a protected user.
To do that you need to specify the actual domain name for the KDC. Do not use hostname or ip address. The following screenshot shows an example
Make sure there is name resolution to the kerberos machine and the example.com domain resolves to one of more ip addresses
If you specify an IP address as the KDC or Realm name this will not work.
Log in to a remote RDP system using a protected user which implies the use of Kerberos is only supported for RDP Proxy. It is not supported and it will not work for any other access method, that is RDP Applet of RDP Gateway
Feedback
