Sessions disappear from User Console page (myaccess) after configuring AAF

  • 7023181
  • 17-Jul-2018
  • 17-Jul-2018


Privileged Account Manager 3.5
Privileged Account Manager 3.2
Identity Manager (IDM) 4.7


After configuring AAF, sessions disappear from User Console page (myaccess)
Logs: Error, Peer authorization error mfclient\user1@pamsrvr accessing admin.logSession


The fix is to configure IDM driver policy to set UserGroup member as <domain>\<user> instead on <user> alone. Please configure PAM driver to add value of UserGroup member as domain\username.


AD user is not able to see the policies assigned to him, as his user name is read by PAM as <domain>\<user> instead of <user>. This happens only in IDM + AAF combination.


Reported to Engineering

Additional Information

Steps to Duplicate:

  1. Create UserGroup
  2. Create Rule for RDP
  3. link RPD session to the Rule
  4. Login to Myaccess page as a user and check that the RDP Session is listed.
  5. Link UserGroup to the rule and check that the RDP Session disappears from the list.
  6. Using Idmdash create Resource with entitlement, select UserGroup Entitlement and select the UserGroup created in step 1 as the entitlement value.
  7. Assign the resource to the user and check that the RDP Session is listed again.
  8. Configure AAF and in the RDP Session Rule enable second factor authentication.
  9. Notice that the RDP session is no longer listed.