Application SSO is not authorized when cmdctrl rule is placed as a child in hierarchy

  • 7023299
  • 23-Aug-2018
  • 13-Nov-2019

Environment

Privileged Account Manager 3.5

Situation

Application SSO does not work when the cmdctrl application rules are places as children to some parent cmdctrl rule:

> Rules
  > Application SSO - "Works"

> Rules
  > Parent rule without any condition criteria
    > Application SSO - "Does not work"


Application Single Sign-On (AppSSO): Remote App and Direct Access Modes

Remote App Mode:
Launching Application SSO session from User Console (MyAccess) reports the following:
FAILED TO LAUNCH THE SESSION
You are not authorized to access this remote desktop session

Direct Access Mode:
Run as privileged user launches app, but does not auto-fill privileged credentials.

Resolution

Application SSO requires that any parent rule(s) in Command Control need to have the following configuration:

  • Rule Condition: "command IN Application SSO"
  • Modify the rule so that "Application SSO" checkbox has "Yes" selected

This has since been resolved in PAM 3.6.0.1:


Cause

Requirements for AppSSO on parent rules in Command Control hierarchy.

Additional Information

Example pseudocode for the parent rule(s):

Begin Rule :Application SSO
IF (command IN Application SSO)
THEN
       Set Application SSO : yes

       < Child AppSSO rules contained here >

END IF
END RULE :Application SSO

Feedback service temporarily unavailable. For content questions or problems, please contact Support.