AppSSO fails with "401 : You are not authorised to perform this operation"

  • 7024160
  • 02-Oct-2019
  • 13-Nov-2019


Privileged Account Manager 3.6


AppSSO fails in either Direct or RemoteApp Modes.
Submit User starting appsso session receives the following error dialog:
401 : You are not authorised to perform this operation

"Run as privileged user" is successfully launching the application as the appsso user, but fails to fill the credentials.

unifid.log from the Manager authorizing the request reports either of the following:
Info, cmdctrl ssoAuth client:localhost rc:0 status:401(You are not authorised to perform this operation)
Info, cmdctrl ssoAuth client:localhost rc:170401 status:401(You are not authorized.)


  1. Verify that the Submit User (user trying to perform the privileged appsso) is authorized for access to the application.
    From the Reporting Console, check for recent sessions - is there a request to run the application (e.g. "Command" being the crdvlt appsso resource name)?

    There will be a session authorized for the submit user to run as the ssouser with the command being the path to the application ("Run as privileged user" is successfully launching the application as the appsso user), but there should be an additional request afterwards to authorize the credential fill with appsso, which is the one that is of interest here.

    • Is the Submit User being denied access to the Application SSO Rule?
      If this additional request is listed in the Reporting Console and the Authorize column shows as "no," then cmdctrl has determined that the Submit User is unauthorized for access to this application. Please verify the Application SSO Rule in the Command Control Console and the related policies.

    • If only the AppSSO "Run as privileged user" session is listed with no additional request for application authorization (e.g. Command being the name of the Credential Vault Resource Name), then please continue below to verify the other configuration.

  2. Verify the RDP Session from which the user is trying to perform privileged appsso is being monitored by PAM. If the session is not being monitored, then PAM will reject providing credentials to NSL.

  3. Verify the configured appsso credential:

    • First, please identify the SSO Credential configured for AppSSO in PAM:
      Hosts Console > Application SSO in left pane > Credential.

    • Verify the appsso credential configuration:
      • In the Credential Vault (crdvlt), the Domain Name of the Resource should match the AD NetBIOSName.
        e.g. domain\appssouser; 'domain' should be the 'Domain Name' of the Resource in the crdvlt.
        Note: This is case-sensitive, please match appropriately.

        The following are a couple ways to verify the NetBIOSName in Windows:

        • Powershell (with Active Directory module for Windows Powershell):
          PS > Get-ADDomain | findstr NetBIOSName
          NetBIOSName : domain

        • Command Prompt (logged in as the appsso user):

      • Configured appropriately for the cmdctrl policy to Run the Application as a Privileged User.

    • Has proper access to the framework by being a member of the following PAM groups in the Framework User Manager Console with the following roles:
      API Users - auth:api_token (module:role)
      SSOAdmins - prvcrdvlt:credAdmin (module:role)

  4. Please verify the AppSSO Resource in the Credential Vault has the correct Application File Path. PAM may not be able to match the exe path or arguments passed to the exe sent from NSL to PAM. There could be a misconfiguration of the PAM Vault configuration.


Problem with AppSSO configuration.