We have a PAM cluster with a VIP FQDN that connects to a cluster node through an external load balancer. When we use the VIP FQDN in a browser to access PAM and get connected to one of the cluster nodes, access methods work as expected, but when the load balancer connects us to the other node, they don't, and just hovering over an RDP access link shows no local drives under "Drive Mapping:".
The CA PAM client log shows error messages similar to the following:
liveconnect: The html source is on the ESL or covered by a DRS run rule, however the jar's Caller-Allowable-Codebase attribute exists and does not include this source
When we connect to the node directly using its host name, there is no problem.
This is similar to the problem described in KB doc TEC1769207. However, the solution provided there does not work for a cluster using an external load balancer. When the external load balancer, rather than the PAM internal one, connects to one of the cluster nodes, the URL does not change and the client finds itself connected to the VIP FQDN. It turned out that on the problem cluster node the client jar files (applets) had been signed using the local FQDN, consistent with what the old KB doc suggests. When the Java plugin of the browser connected to the VIP FQDN received the client jar files, it found a mismatch between the URL used and the name that the jar files were signed with, and rejected their use.
Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
If there is no unique name with which a PAM node is accessed, resign the jar files with an empty Xsuite Domain name. If you only use the cluster FQDN, and you use an external load balancer, you may sign the applets using the cluster FQDN, but then you will not be able to use access methods when logged on to an individual cluster node directly using its host name or IP.
<Please see attached file for image>
Signing the applets will take a couple of minutes. Once it's done, you should see a message like the following in the Session logs. Note the wildcard character at the end of the message.
"Xsuite applets successfully signed with Default Xsuite Applet Certificate and domain(s) *"
It is recommend to logout of PAM and clear the Java cache using the Java Control Panel. Afterwards you should be able to access PAM using either the local hostname, IP, or the VIP FQDN without having a problem with the plugins.