An "An authentication error has occurred (Code: 0x80070057)" is consistently encountered when attempting to connect to a target server via the RDP Gateway in CA Privileged Access Manager (PAM) when the AutoLogon feature is disabled.
Connections using RDP Gateway with AutoLogon enabled are successful. The error occurs when the user attempts to manually log in through the PAM RDP Gateway session

Product: CA Privileged Access Manager (PAM)
Component: RDP Gateway functionality)
Affected Setting: Connecting via RDP Gateway with AutoLogon disabled.
External Factor: Windows Group Policy (GPO) enforcing Network Level Authentication (NLA).

The root cause is a conflict between the required security settings for the RDP Gateway in PAM when AutoLogon is disabled and a prevailing Windows Group Policy Object (GPO) on the target server.
The PAM RDP Gateway functionality, when AutoLogon is disabled, does not support Network Level Authentication (NLA). A Windows GPO was found to be overriding local settings and enforcing NLA via the policy:
Policy Name: "Require user authentication for remote connections by using Network Level Authentication"
This policy, when Enabled, forces the use of CredSSP (Enhanced RDP Security), which conflicts with the expected authentication method when AutoLogon is turned off, resulting in the 0x80070057 authentication error

Workaround: Disable the conflicting Windows Group Policy Object (GPO) on the target server(s).
Policy Location: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Policy Item: "Require user authentication for remote connections by using Network Level Authentication"
Setting this policy to Disabled or Not Configured and forcing a policy update (gpupdate /force) on the server will resolve the RDP Gateway authentication error when not using AutoLogon.
Product Limitation Note: RDP Gateway without AutoLogon is not currently supported by CA Privileged Access Manager (PAM) when NLA is enabled. To utilize this functionality, NLA must be disabled on the target server.
Enhancement Suggestion: For clients who require the RDP Gateway to function without AutoLogon while NLA remains enabled, Broadcom advises submitting an enhancement request through their communities using the instructions from the article: Submit enhancement for Privileged Access Management (PAM) instructions.