Limiting logon to computers through AD does not worm

Document ID : KB000126477
Last Modified Date : 11/02/2019
Show Technical Document Details
Issue:
We are using some domain user for RDP services configurations in PAM, all works fine, but now, in order to improve security during the authentication process, we are forcing these domain users to be able to log on only to specific workstations using the Logon To: configuration paramenter of Microsoft Active Directory.

User-added image


However, if we try to access the computers from CA PAM using RDP an error regarding user authentication is displayed

User-added image

indicating that the password has expired and requires changing, even though it is OK.
Environment:
CA PAM all versions
Cause:
If you want to use the Log On To setting, this refers to the end users workstation and not the target workstation you are connecting to 

When you do RDP, Microsoft checks the Log On To list to see if you can login. When the Target device is listed, the user will be granted local login access (console or direct keyboard/monitor access), but RDP from anywhere will fail. 

In order to login via RDP you need to put the host where you will be initiating the Log On FROM (so, even though the Tab says Log On 'To', in this case we need to specify the workstation you are logging in 'FROM') in the list. This means your local workstation where you are launching MSTSC or PAM sessions from. 
  • If you put the Target device, this wont work. 
  • Ifyou put the PAM server address since access is "routed through pam"  this will not work either because PAM is acting as a tunnel and so it just forwards the log in info: it doesn't repackage it with its hostname. 

If you want to log in to computer1, computer2 and computer3 alone, then the only possible way of limiting it would be to maybe filter that through firewall in the machines themselves, as by behaviour MS will be looking at the machine initiating the connection. 
Resolution:
Either specify in the Log on To the local workstations or use a altogether different method to limit connections to given servers