The RDP Application Transparent Login feature of CA PAM allows for the passing of vaulted credentials to applications hosted on a remote Windows Server. There is a large amount of configuration that goes into getting this set up properly and it can be hard to figure out exactly where problems are coming from. This how-to troubleshoot guide was created to make it easier to identify where many common configuration errors come from so they can be resolved.
Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
When troubleshooting RDP Application Transparent Login there are 3 main things to look for:
1- Does the Application Load?
If the application never loads the RDP session will likely close almost immediately. The application not loading is usually caused by a misconfiguration on either the Windows Server or the CA PAM Appliance. Things to check:
A) If you are seeing a message saying "Access is denied. This initial program cannot be started..." while the RDP session is loading:
If this message mentions the application path: Ensure in both CA PAM & Windows RemoteRDP Application settings that the application has been published, the path is still correct and if required; any necessary parameters been defined & allowed.
If this message mentions the path to cmd.exe: Check out this Tech Doc:
B) Has the application been properly set up on the CA PAM Appliance?
This setup includes: RDP Application Settings, Assigning the RDP Application to a Device & Setting up a policy to allow a user to use the script.
The most common issue with this is incorrectly setting the Window Title. The Window title should be EXACTLY as it is on the window that is being interacted with (for example, if the main application title is "Application X" but the login boxes are in a separate window titled "Application X - Login Page" then "Application X - Login Page" should be used). The best way to get the exact Window Title is to use the learn mode Control Viewer. To get the exact title: Open RDP Learn Mode Session > Open the desired application window > Run Control Viewer (from the Learn Tool) > use the Browse Tool to get information about the window: under the Window tab click into the Title textbox and press ctrl + A to get the ENTIRE string and copy it. Please note that this MUST be EXACT or it will not work, for example it was found that one application had a space character at the end of the title ("Application X" vs "Application X ") and it did not work without the space, but it worked perfectly with the space.
C) Is the application able to load if Transparent Login is not enabled?
If the application is able to load without Transparent Login enabled then the problem has more to do with the Transparent Login functionality, not the RDP Application functionality.
2- Do the CMD Windows show up?
When the RDP window is launched for use with Transparent Login there should be a cmd window that shows up directly after logging in followed by another smaller cmd window. These windows are started by the execution of a batch script that launches the Transparent Login Agent which is used to actually perform the Transparent Login.
If one or both of these windows don't show up it is likely due to one of 3 reasons:
A) Transparent login may not be enabled on the Policy Settings.
Ensure Transparent Login is checked for the relevant policy.
B) cmd.exe was not properly published as a remote application on the Windows server. Please refer to this documentation page and see the part on "Configure cmd.exe as Remote App" for instructions:
C) This Windows server may have a security setting to disable Drive Redirection which blocks the ability to launch the Transparent Login Agent.
See this Tech Doc for information on this setting:
3- Does the Transparent Login script work?
A) Has this been successfully tested using the learn mode debugger?
The best way to write & test Transparent Login scripts is by using learn mode and the provided debugger. If the script doesn't work here then it likely won't work anywhere. Ensure that it works in debug before trying to use it.
B) Does any part of the Transparent Login script actually work?
If part of the script works then we know we know that the Transparent Login Agent is successfully launching and is able to interact properly with at least part of the application. The <activate> command may help by bringing the window into focus before performing actions on it. If this is a multi-window application you may need to use 2 or more transparent login scripts with multiple Window settings in the RDP Application settings (for example there may be a prompt for hostname on one window, then a new window could come up requesting the login credentials).
C) Are there special or non-english characters in the Window Title?
There have been some issues when using applications with special or non-english characters in the Window title. In the debugging cmd window it may be seen that these characters are turned into other characters (for example in one case an o character with an ` accent on it was changed to a <= sign). If this happens then the Transparent Login Agent will not be able to properly track the window. If possible try changing the Window Title, otherwise, this application will likely not work.
D) Is this a Java application?
Java applications are not supported for RDP Application Transparent Login. They do not work properly.
Please note that RDP Application Transparent Login will work for most, but not all applications. Some applications (like Java applications) will not work.
If Drive Redirection was disabled in your environment it is likely due to security requirements. You may want to consult your Windows &/or Security Administrators before making this changes to this setting.