1. Move the xterm window, is there any error message displayed? On the grey screen left-click the mouse, Select XTerm | Select Black on White. Then click on the large T in the top left of the window - what error is shown? If the error disappears to quickly, replay the session logs.
2. Confirm that TPAM has network connectivity to the server:
From /tpam | Management | Network Tools | Telnet test, enter the server's IP | Change port to 3389 (Windows RDP port) and click test. If the PSM Affinity is set to a specific DPA (or allowed to be run on any DPA) ensure each DPA can communicate to the target server.
Please refer to Knowledge Article, Performing a Telnet port test from TPAM, for more information.
3. If using a DNS name for the "Network Address" on the System | Details | Information tab, ensure the record can be resolved from TPAM and all DPAs. Test using the IP address instead of a DNS name.
5. If Terminal Services/RD Session host is installed check that the settings are compatible with TPAM:
- Load "Terminal Services Configuration" on Windows 2003 or "Remote Desktop Session Host Configuration" from Windows 2008
From the RDP-Tcp options, ensure that Encryption Level is not set to "FIPS Compliant"
- Confirm the server has enough RD/Terminal Server licenses available
6. If the system is setup in TPAM as “Windows” or “Windows Desktop” ensure that the Computer Name field on the System | Details | Information tab has been filled in with the NETBIOS name of the target server in UPPERCASE.
7. Ensure that the user has the correct permissions to logon to the RDP session.
Note: The permissions required depend whether the "Enable Console Connection?" option is selected in the Accounts | PSM Details | General tab. For more information, What does the option "Enable Console Connection" do?
8. If the account is a Domain account , ensure it has NOT been created against a "Windows" system. Only local users can be defined against a "Windows" system. If a domain account is being used it need to be mapped see KB91407
9. Check the Event Viewer | Security logs on the target server for any failed events regarding the users attempted logon.
10. Test using different Affinity settings. I.e. If using a DPA, test from LocalServer.
NOTE: TLS 1.1 and 1.2 are not supported when using a DPAv3.
If you are unable to find the issue. Please supply the following information to Support via a service request:
- The Operating system version you are trying to connect to, e.g.: Windows 7, 2003, 2008, 2008 R2, Windows 2012 machine, etc.
- Is the machine a domain controller, member server or a standalone server?
- Is the account perform PSM a local account or domain account?
- Export of the Security Log from the target system covering the time period of the PSM attempt
- Registry export of TLS settings from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- Registrt export of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
- Screenshot of the PSM error from item 1 above
- A support bundle: How to create a Support Bundle in TPAM 2.5.
- Screenshot from network connectivity test from item 2 above
From the managed system in TPAM:
- Screenshot from "Details | Information" tab
- Screenshot from "Details | Connection" tab
- Screenshot from the "Affinity"
From the PSM account in question:
- Results of a "Check Password" from the account
- Screenshot from the "PSM Details | General" tab under the
- Screenshot from the "PSM Details | Session Authentication"
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité