Support

Hello! As soon as I check in to PAM via Devolutions Workspace on my smartphone, I receive the following error message by email: Error: ArgumentNullException - Value cannot be null. (Parameter 'g') at System.ArgumentNullException.Throw(String paramName) at System.Guid..ctor(String g) at Devolutions.Server.Controllers.APIControllers.V2.AttachmentController.GetPrivateAttachments(AttachmentFilter filter) at lambda_method1741(Closure, Object, Object[]) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) --- Default Source: System.Private.CoreLib In general, it takes some time for accounts to be upgraded before the changes actually take effect, even if the browser is refreshed or restarted. Concerning Microsoft Entra ID, DVLS 2025.3.14.0

Hi there, I don’t understand how the Devolutions PAM works, or I might be missing something. For me, PAM involves several actions: Rotating passwords Protocol break between client/server (for example, no direct access to the RDP port) Recording sessions as video Allowing privileged sessions with a workflow/approval system Potentially being able to block certain actions or commands on systems Which of these actions are handled by Devolutions? I believe that for points 2 and 3, it is necessary to go through Devolutions Gateway. Is that correct? My usage is internal only. I mainly want to use PAM for actions 1 to 3 for the IT Admin team. What I don’t understand now is how to import PAM accounts for individual use. Let me explain : In my Active Directory, I have T0 and T1 OUs (for a tiering model). In T0 and T1, I have admin accounts (e.g., t0.jdoe, t0.bdupont, t1.jdoe, t1.bdupont ). These are the privileged accounts. On the Devolution Server, I therefore have a user John Doe and a user Bernard Dupont. On RDM, each of them has T0 resources (AD VMs, routers, etc.) and T1 resources (business VMs, switches, etc.). How can I ensure that John Doe can only use his own accounts (t0.jdoe on T0 ressources and t1.jdoe on T1 ressources) and not Bernard Dupont’s accounts? At the moment, he can see all of them. Jerome

Hello, we are currently experiencing significant issues with RDM and hope that you can assist us. When connecting a session with PAM credentials, the checkout dialog with JIT group appears, but shortly thereafter we receive a message that the account is already checked out. Prior to this connection attempt, the user was checked in. And even if it was checked out, the connection could be established directly without the checkout dialog. A few points at a glance: - Current versions: RDM 2025.3.29.0 / DVLS 2025.3.14.0. The problem has only existed since 2025.3.x, but it is unclear exactly since which version, approx. 8 weeks. - All users use the same RDM version, some locally, some via RDS. - The problem occurs with different PAM providers, but not always and not with all users. - When connecting to a session, the PAM checkout dialog appears immediately, but then it takes a long time to establish the session, up to 17 seconds, even for successful logins without error messages. - Logins are fast with non-PAM credentials. - Manual checkout of accounts (in the PAM vault) also takes a long time. - From time to time, employees lose their user-specific settings, and all stored credentials are then gone, leaving the list empty. This also affects some users more often than others. Thank you and kind regards, Simone

We've trialling the PAM system at the moment, and I'm having problems with the scans - they don't seem to return any users at all. The following are in place: A provider setup (for our Active Directory) and the connection test passes A scan configuration, for an OU in that directory that contains users If I run the scan (or wait for it to run as scheduled) I don't get any results.

Is it possible to perform any mass configuration (in particular setting of permissions) of accounts held in the same folder of the same PAM vault? Or is it only possible by means of inheritance or setting permissions on an account by account basis? We have an L1 folder containing, for example, the accounts serviceA_01, serviceB_01, serviceC_01, serviceA_02, serviceB_02, serviceC_02. We want to grant L1_user_01 access to all of the *_01 accounts in the L1 folder and grant L1_user_02 access to all of the *_02 accounts in the L1 folder. Is this possible as some kind of mass action (select accounts and assign permissions)?

We have installed the on-premise trial version of Devolutions Server using the " Privileged access management package " 5-user license provided. [image] However, when logged in as the administrator (dvls-admin) we are unable to see a " Privileged Access " item on the " Administration " page [image] or on the " Administration > Server Settings " page. [image] We are therefore unable to configure any Providers and consequently cannot trial the PAM component functionality.

Last week week updated to 2025.3.x and I set the Reason mode to Mandatory on JIT elevation only but this is not working. I can request JIT Elevation right without filling in a reason. Is this a known issue?

I am now experiencing password rotation and heartbeat failures on accounts in the Protected Users group after upgrading to DVLS version 2025.3.3.0. Once I remove the accounts from the group, everything works as expected. It appears that DVLS is using NTLM authentication instead of Kerberos. I get the following audit log in the domain controller when the user is in the Protected Users group at the time of rotation & heartbeat: NTLM authentication failed because the account was a member of the Protected User group. Account Name: [Redated Account Name] Device Name: [Redacted Domain Controller Name] Error Code: 0xC000006E In DVLS, I am getting an LDAP Code 49 failure when attempting the heartbeat or password rotation. Interestingly enough, password rotation & heartbeats work for members of the Protected Users group if the provider is set to use LDAP instead of LDAPS account, which isn't ideal. I am happy to provide more logs if needed, but not really sure where to go from here.

Hello, I tried to create a Domain Provider for the first time to connect to Active Directory, but I received an error: “Could not reach: undefined.” This occurs both in RDM and in the Hub Portal. I am not sure if I am missing something. I tested both LDAP and LDAPS and verified the domain name and credentials. The same credentials work successfully with the Active Directory dashboard entry. [image]

Hi, We have two issues after the updates from RDM 2025.2.30.0 to 2025.3.20.0 and DVLS 2025.2.14.0 to 2025.3.4.0. - Our PAM vaults disappeared from RDM (client installation). I found this comment in your blog post: "PAM vaults now appear alongside standard vaults in a single selector, eliminating the need to switch between views." Can you please provide a screenshot where to find the PAM vaults, we couldn't find it anymore ;-) Thanks. - With the new DVLS version but the old RDM version we are still able to see the PAM vaults but after the first PAM synchronization (from scan configurations) all the account display names in the PAM vaults are set to the SAM account names. We have renamed the accounts so that we can see at a glance which customer or domain the user belongs to. With the new Devolutions server version, the display names have been reset to the SAM account names, and even in the dashboard, the associated domains are no longer visible. This makes it impossible to identify which account it is. Thank you for your help and kind regards, Simone

Hello, When creating a new PAM standalone type entry in DVLS 2023.2.10 WebUI, there is an option to use the password generator, however this doesn't list, default to, or enforce the default password template that is defined in Administration\System Settings\Password Management. Please let me know if you would like any additional information. Thanks Joe

Hello, How does one unlock or force a check in of a locked Domain User PAM account in a Hub datasource? I have one account that wont check in using RDM, and in the web UI (while logged in as an administrator) there is no force check in or unlock options displayed. In RDM 2025.3.20 it also displays a red banner saying 'The credential has been locked due to the inability to revoke privileged rights during check-in.' Please let me know if you would like any additional info. Thanks Joe [image] [image] [image] [image]

Hello, When attempting to create a domain user type provider in hub business that uses a gateway, it fails on the 'test connection' with error 'Can't connect to provider. LDAP connection failed to dc.domain.local. LDAP result code 1002. Using Gateway 2025.3.2 installed on a domain joined Windows 2022 host, and PAM service executable v2025.3.1. There doesnt appear to be anything logged in the windows event logs, or gateway log files when the test connection is initiated. Please let me know if you would like more info. Thanks Joe

Hello, When using hub with PAM entitlement, a dedicated vault is required for storing the managed credentials, which cannot contain regular connection type entries. When creating a connection entry in a regular vault, there is no option to set the credential to 'privilege account' like would be done with DVLS. Instead I assume the expected approach is to choose 'Linked (external vault)', then choose the dedicated PAM vault and subsequently a specific credential entry. However, when using RDM 2025.3.20 there are no credentials populated in the dropdown after choosing the linked external vault which contains the PAM entries. Also, if it is left as the default of 'prompt on connection', upon launching the connection there are no PAM entries displayed for the user to choose. I tried attempting to do the same thing with Hub web ui but the PAM vault does not show up in the list of linked external vaults. How does one utilize a PAM entry as the credential for a regular connection entry with Hub? Not really sure if this a PAM, Hub or RDM issue/limitation? Please let me know if you would like any additional info. Thanks Joe

After updating Devolutions Server from 2025.1.x to 2025.2.4.0 password rotation is not working anymore for accounts in our PAM vault. Is this a known issue and can this be fixed as soon as possible?

Hello, We would like to import our passwords into a PAM vault. Since there are well over 100 of them, they are stored as a .csv file. Is there a way to import them so that they end up directly in a PAM vault?

I would like to set up temporary access. To do this, I have set the vault to shared and activated temporary access in the entire vault. I myself only have “view” rights to the vault. The vault is displayed to me in RDM and the relevant entries are also displayed. However, I have no way of requesting temporary access in RDM? I only see this option in the WEB Gui, which nobody works with. Please tell me that I have done something wrong. [image] [image]

What is the philosophy for using temporary groups in the JIT configuration? We monitor our priviliged groups like Domain Admins and now we see only that a tempory group group is added, PAM-<GUIDnR> and not direct the added users. So our monitor reporting doesn't give direct the user who is added to the group.

Hello everyone, we're facing an issue where checked-out accounts are not automatically checked back in. In the screenshot, you can see that the account was checked out yesterday morning for 420 minutes (i.e., 7 hours). Most colleagues simply close their laptops and leave without properly ending their sessions. How can I ensure that the account is automatically checked in after 7 hours and the password is rotated accordingly? [image]

We use JIT for tempory DomainAdmin / SchemaAdmin and EnterpriseAdmin rights. In the feature we wan't to add o other group to JIT. Is it possible to automatic assign a right (group) when a user check-out a account? The use case is: User-X has no group assigned (in this example "DomainAdmin") Use PAM to checkout this account JIT assign automatic a group without check the checkbox in the check-out screen. The idea about this is that the account is standard a normal user. The user has about 2 days a week the addiotional needed. So when the account is hayjacked during these 5 days it has normal rights. [image]

Hello everyone, I'm currently working on integrating a password rotation script using AnyIdentity in Devolutions Server (DVLS) for Citrix ADC. I've created a custom AnyIdentity template with the following configuration: ✅ Provider Properties: targethost (String) user (Username) password (Password) ✅ Account Properties: account (Username) ✅ Script Parameters: Mapped in the template as: target → Provider → targethost user → Provider → user password → Provider → password account → Account → account NewPassword → System (default) My PowerShell script starts with: param( [string]$target, [string]$user, [securestring]$password, [string]$account, [securestring]$NewPassword ) Write-Output "target = $target" ... All fields are filled in the PAM entry, and the correct AnyIdentity provider is selected. However, during execution, I get the following error: ❌ 'target' is missing. (Or: ❌ 'targethost' is missing. if I switch parameter names) I’ve tried: Different parameter names (host, targethost, remoteHost, endpoint, etc.) Clean AnyIdentity templates with minimal logic Mapping provider fields via the UI Assigning values directly in the PAM entry Testing the script interactively on the DVLS server (works fine) Running DVLS Scheduler under a proper service account with access to Posh-SSH No matter what I do – DVLS never passes the values into the script. ❗Question Has anyone successfully used custom AnyIdentity password rotation with parameters passed from the provider? Is this a known issue with certain parameter names? Is there a limitation in the DVLS Scheduler’s script engine? Any working examples or templates to compare? DVLS version: 2025.1.7.0 PowerShell: 7.5.1 Script tested independently = working Thanks in advance – hoping someone has found a solution or workaround! Best regards, Alexander

Accounts in PAM are not checking back in after checkout expiration, and passwords are not being reset after expiration. When a user makes an attempt to use the account, however, they are asked to check it out. I either have to manually check I am the first one in this morning, and I see all of these accounts checked out [image] And looking at the logs of my account: [image] You can see that at 3:54 PM was checked out, and checked back in at 6:37am the next morning when I came in to use it. Time is 0 minutes. I had to check it in manually. I did attempt to copy the password, but was given an error that I could not, so PAM did know that the check out was expired, but it is not completing check in processes. [image]

I was attempting to use PAM for rotating passwords in a Windows Scheduled Task, and I was running into an error with the path to the scheduled task: Propagation: Error Error while executing the script Scheduled Task with the configuration Test Schedule: Cannot validate argument on parameter 'ScheduledTaskPath'. The argument "\" does not match the "^\\(?:[^\\]+\\)+\s*(?:,\s*\\(?:[^\\]+\\)+)*$" pattern. Supply an argument that matches "^\\(?:[^\\]+\\)+\s*(?:,\s*\\(?:[^\\]+\\)+)*$" and try the command again. My task was at the root level: TaskPath TaskName State -------- -------- ----- \ CMD Running This pattern does not allow the use of the root of scheduled tasks: [ValidatePattern('^\\(?:[^\\]+\\)+\s*(?:,\s*\\(?:[^\\]+\\)+)*$')] I updated my local copy of the script to use this instead: [ValidatePattern('^(\\|(?:[^\\]+\\)+\s*(?:,\s*\\(?:[^\\]+\\)+)*)$')] This seems to have worked.

Is it possible to give a group enough access to PAM to allow them to create Providers, Scan Configurations, Propagations, and allow them to add users to one vault, but not allow them full PAM admin rights?

We use password rotation within the PAM module where we configure to reset the password for our privileged accounts on a daily base. This is configured to reset every day at 05:00 a.m. but Devolutions is resetting this at 07:00 a.m. Is this a known issue and can this be fixed?