Troubleshooting Windows transparent login problems passing data to backend

Article Id: 6682
Status: Published
Updated On: 14-02-2018 07:56
Legacy Id: TEC1297096
Products:
CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM)
Issue/Introduction:

We have a java-based application to which we need to connect via a browser

As such we have configured transparent login to fill in the different fields by using mouseclicks and keystrokes, and this appears to work when using the Learning tool and the debug mode

However, when using the actual Transparent login in production, the password is never written, and sometimes not even the rest of the information, like IP, username or any arbitrary text

Cause:

There may be several causes for this but, fundamentally, when using the mouseclick and keystroke mechanism we are in fact configuring a position in the screen where PAM should be writing the values specified. Since we are not putting a reference to a class, this is purely positional.

This means that if the final screen where we are writing the data to differs from the one we used when doing the initial Transparent Login configuration, the system may be trying to write to the wrong position in the browser. There are at least two situations when this may be occurring

  • If the target machine is not configured to hide the taskbar. Under these circumstances, when we do the transparent login configuration the screen positions will be recorded taking into account the positions filled  by the taskbar, whereas when we attempt transparent login in production the backend will not show the taskbar, effectively shifting the positions in the screen
  • If the screen resolution is different when capturing the transparent login screen positions and when clients use the configuration. If we have, for instance, done the configuration with full screen, the relative positions may be different from the case where the remote screen that users open (for instance 1024x768)

Besides this we need to take into account that starting 2.8, the passwords are not being sent from the PAM server to the Transparent login backend, but instead they are being pulled by the transparent login backend from the PAM server. This means that any miscommunication, for instance, because of a DNS name resolution failure from the transparent login backend to the PAM server, or if a load balancer is configured without session persistence, may result in the transparent login machine not being efficiently communicating with the PAM server and it may not be retrieving the password for writing.

Environment:

CA PAM 2.7.X and 2.8.X

Resolution:

Please try the following resolutions

  • Configure taskbar autohide in the remote windows machine where transparent login is to work
  • Make sure that all users are using the same screen resolution and that this is the same used when configuring Transparent Login with the learning tool
  • Make sure that DNS resolution from the transparent login machine to the PAM server is fine and consistent every time
  • If you have a cluster with an external load balancer you may be having a session persistance problem. Make sure this is enabled to avoid response back from PAM to go to the wrong node. If this is not possible, as connect to one of the nodes (not the VIP) when you do the configuration of transparent login, so that the physical address of one of the nodes is recorded in the transparent login configuration and there is no ambiguity