PAM Login Integration problem with Windows PUPM endpoint
search cancel

PAM Login Integration problem with Windows PUPM endpoint

book

Article ID: 264387

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When trying to establish RDP connection from PAM to device if Login integration is checked in Access policy, PAM returns error message:

"This computer can not establish a session with the remote computer. Try connection again. If the problem continues, contact the owner of the remote computer or your network administrator."

and connection is not done.

In some cases the session may launch, but never complete the connection and just disappear after about 20 seconds.

Cause

The PUPM agent did not register with PAM, because it was not configured to do so. But even after registration the integration may not work, if it is not enabled fully in the Windows registry or PUPM flags are not set properly for the account used for auto-login.

Resolution

Change the following settings in registry key

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\common\AgentManager\Plugins\PupmAgent

AutoRegister = 1

ScheduleType = 1

Note that this requires the agent to be stopped (secons -s).

Additionally, make sure that the following values are set in registry key

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\PUPMAgent

EnableLogonIntegration = 1

OperationMode = 1

 

Once the registry settings are in place, start the agent with "seosd -start". After a couple of minutes you should see the PUPM Agent as active on the Devices > Device Agent Status page in the PAM UI for this device.

In addition to the registry updates, make sure to set pupm_flags for the account used for auto login from PAM to use the original identity. Run "selang" to enter the PAMSC command shell, and then enter the following selang command:

editusr <Account that is used for Autologin> pupm_flags(use_original_identity)

Example:

editusr myhost\pamadmin1 pupm_flags(use_original_identity)

 

Now launch the RDP client or RDP Proxy service from PAM to establish an RDP session, then open a command window. For PAM user "globaladmin" using target account "myhost\pamadmin1" for auto-login, the "secons -whoami" command will show the PAM user name as "PUPM User":

C:\Users\pamadmin1>secons -whoami
CA Privileged Access Manager Server Control secons v14.10.40.48 - Console utility
Copyright (c) 2018 CA. All rights reserved.

ACEE handle '17' represents 'PUPM User': globaladmin (OS User)
 ACEE was created at: Wed Oct  9 10:10:38 2024