Skip to content

PAM - RDP connection setup

Default Settings

By default RDP / Terminal Server utilizes Security Layer: Negotiate with Client Compatible Encryption Level and Network Level Authentication (NLA) enabled.

The corresponding Excalibur PAM settings would be:

Security: any

Ignore certificate - needs to be checked if the Terminal Server does not use a trusted CA certificate or the CA certificate it uses was not manually imported into the Excalibur PAM 

Tresk - needs to be checked if target is in the network segment where tresk VM is located


Notice the separated Domain and Username fields - do not enter the domain name in the username field - always use the separate input elements


Notice the RemoteApp program name - this is the name that needs to be provided in PAM such that for this example the PAM configuration would look like:

Notice there is no extension like notepad.exe - just notepad - exactly as in the RemoteApp settings program name.

Corner cases - NLA disabled / TLS security layer

If NLA is disabled but TLS security layer was not such as for example using this configuration:

PAM needs to be configured to Security: TLS

Corner cases - NLA disabled / RDP security layer

If both NLA and TLS security layers are disabled, such as in this configuration:

PAM needs to be set to Security: RDP

Note that RemoteApp will not work on the RDP security layer! This is a limitation of Terminal Server not Excalibur.


Terminal Server configuration UI does not always update system registry, also Terminal Server sometimes ignores configuration changes until a reboot. This can lead to situations where the system configuration UI shows that some configuration but the system is behaving completely differently.

To detect such situations open system registry and go to:

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Find the SecurityLayer Key, it will have one of the following values:

Key: SecurityLayer :   

0 - RDP

1 - Negotiate

2 - TLS

Terminal Server reads this value - whatever the system configuration UI is showing, this registry value will be used on the next start of the Terminal Server.

Further materials

Excalibur Administrator Dashboard Manual

Excalibur PAM Manual

Excalibur FAQ