CA PAM Support for CredSSP
search cancel

CA PAM Support for CredSSP

book

Article ID: 187142

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

After setting the Encryption Oracle Remediation policy setting "Force Updated Clients" according to Microsoft's website (https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea) on several Windows systems, users are not able to log in to any of these systems through PAM. The users receive errors like the following:

2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132 com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]

Environment

Privileged Access Manager, all versions

Cause

This is due to the having set "Force Updated Clients" for the Encryption Oracle Remediation policy. With this setting, the built-in RDP applet will not work.

Resolution

Set Encryption Oracle Remediation policy setting to "Mitigated" for those systems where CredSSP has been deployed and a connection is required from PAM

Additional Information

Please note

For PAM versions 3.4 and above, the "Force Updated Clients" registry value can be used. The built-in RDP applet will not work, but the new RDP Proxy functionality could be used to utilize any local RDP Client on the user's desktop.

Please see the following documentation\video on this:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-6/release-information/new-features-and-enhancements-in-3-x-releases/new-features-and-enhancements-in-3-4.html#concept.dita_97029b778cfd380e0edca2b1b71f2be6a0289cf2_RDPProxy