PAM: Failed to connect to target server

Hello everyone,

We are currently performing the initial installation of the PAM machines. However, when we attempt to connect to any machine after completing the provisioning correctly, we open the RDP file that is created, but the attached error appears.


On the first machine we do not have any problems, but only in the second one.
The machines are in HA.

I have also attached some logs in case they may assist someone (I have changed the domain name for privacy reasons).
log.xlsx (13.3 KB)

If I try to connect directly via RDP from those machines, the issue does not arise.

Thank you,
Giacomo

Hi Giacomo,

Thanks for reaching out!

It looks like this will require some investigation of the environment (settings on the target resource, NPS server activity/resource configuration, etc.). Can you please open a ticket with our Support Team so they can assist?

- Dan

Hi Dan,

we have already open this one 00449226.

Thanks,
Giacomo.

Hi Giacomo,

While you wait for support to help, some things that you can review:

  1. For troubleshooting enable the Connection Profile option that allows users to view the Password in the UI, try connecting directly to your target with your RDP client and the user for the session.

  2. Make sure the group you are adding the user to is allowed RDP access.

  3. Review the Windows event logs, look for logon failures.

  4. If you have multiple sites and your target resource is not in the same site as your PDCe, it may be an AD replication issue. New users are added to the PDCe, groups are updated on the PDCe. Replication between sites happens at slower intervals than between same-site DCs. Add the Run AD Replication for User step to your activity after adding the user to the group.

2 Likes

Hello Kevin,

Thank you for your response.

  1. From where can I activate this option?
  2. Yes the user can access via RDP, we do not have issues from the primary machine.
  3. Nothing is amiss.
  4. We have only one site.

In your Access Policy configuration, there is a setting Connection Profile

My “Access NPS Server” policy is show below. Click the Blue Arrow, to go to the Connection Profile for your policy.

Scroll down to Credential Management

Select the Enable 'Show Password' option

Scroll down and click Save

HTH,
-Kevin

1 Like

I enabled what you instructed, and I managed to connect via PAM (no RDP) without copying the password, and it worked on both machines! Then, I tried disabling the password visibility again, restarted the servers, and it still works.
Is it possible that toggling this option has unlocked something?

Additionally, I noticed that previously, when the issue was still present, the “SIEM Service” entry was red on the problematic machine; now it appears as follows:

Thank you,
Giacomo.

Not really sure why it would start working unless something else has changed…

Were any of the NPS service restarted in-between your testing?
Just wondering if there was a service holding on to an old encryption key or setting.

Thanks for letting us know that you are now able to connect.

No alterations have been made.