PAM - RDP connection setup¶
By default RDP / Terminal Server utilizes Security Layer: Negotiate with Client Compatible Encryption Level and Network Level Authentication (NLA) enabled.
The corresponding Excalibur PAM settings would be:
Ignore certificate - needs to be checked if the Terminal Server does not use a trusted CA certificate or the CA certificate it uses was not manually imported into the Excalibur PAM
Tresk - needs to be checked if target is in the network segment where tresk VM is located
Notice the separated Domain and Username fields - do not enter the domain name in the username field - always use the separate input elements
Notice the RemoteApp program name - this is the name that needs to be provided in PAM such that for this example the PAM configuration would look like:
Notice there is no extension like notepad.exe - just notepad - exactly as in the RemoteApp settings program name.
Corner cases - NLA disabled / TLS security layer¶
If NLA is disabled but TLS security layer was not such as for example using this configuration:
PAM needs to be configured to Security: TLS
Corner cases - NLA disabled / RDP security layer¶
If both NLA and TLS security layers are disabled, such as in this configuration:
PAM needs to be set to Security: RDP
Note that RemoteApp will not work on the RDP security layer! This is a limitation of Terminal Server not Excalibur.
Terminal Server configuration UI does not always update system registry, also Terminal Server sometimes ignores configuration changes until a reboot. This can lead to situations where the system configuration UI shows that some configuration but the system is behaving completely differently.
To detect such situations open system registry and go to:
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Find the SecurityLayer Key, it will have one of the following values:
Key: SecurityLayer :
0 - RDP
1 - Negotiate
2 - TLS
Terminal Server reads this value - whatever the system configuration UI is showing, this registry value will be used on the next start of the Terminal Server.