Limiting logon to computers through AD does not worm
Document ID :
Last Modified Date :
Show Technical Document Details
CA Privileged Access Management
PRIVILEGED ACCESS MANAGEMENT:CAPAMX
We are using some domain user for RDP services configurations in PAM, all works fine, but now, in order to improve security during the authentication process, we are forcing these domain users to be able to log on only to specific workstations using the
configuration paramenter of Microsoft Active Directory.
However, if we try to access the computers from CA PAM using RDP an error regarding user authentication is displayed
indicating that the password has expired and requires changing, even though it is OK.
CA PAM all versions
If you want to use the
Log On To
setting, this refers to the end users workstation and not the target workstation you are connecting to
When you do RDP, Microsoft checks the Log On To list to see if you can login. When the Target device is listed, the user will be granted local login access (console or direct keyboard/monitor access), but RDP from anywhere will fail.
In order to login via RDP you need to put the host where you will be initiating the Log On FROM (so, even though the Tab says Log On 'To', in this case we need to specify the workstation you are logging in 'FROM') in the list. This means your local workstation where you are launching MSTSC or PAM sessions from.
If you put the Target device, this wont work.
Ifyou put the PAM server address since access is "
routed through pam
" this will not work either because PAM is acting as a tunnel and so it just forwards the log in info: it doesn't repackage it with its hostname.
If you want to log in to
alone, then the only possible way of limiting it would be to maybe filter that through firewall in the machines themselves, as by behaviour MS will be looking at the machine initiating the connection.
Either specify in the Log on To the local workstations or use a altogether different method to limit connections to given servers
Was this information helpful?