Application SSO fails when Secondary Authentication is enabled in the Rule

  • 7023721
  • 15-Feb-2019
  • 15-Feb-2019

Environment

Privileged Account Manager 3.5

Situation

Application SSO fails when Secondary Authentication (2FA) is enabled in the Command Control Rule.
Application SSO works when the Secondary Authentication is disabled.
When enabled, User can download the RDP File and after completing 2FA, the Application gets launched successfully, but while Secure Login tries to fetch the credentials from PAM, the below error is observed and SSO fails:
"401 : User is not authorised to perform this operation".
Reporting Console shows - <appsso> - command is not authorized.

Resolution

Please set the cmdctrl option Secondary Authentication to No or leave blank if the Application SSO option is set to Yes in the cmdctrl rule.
To achieve 2FA, please configure appropriately on the authorizing Direct-RDP rule.

Status

Reported to Engineering