Devolutions PAM

Bonjour, Je vais laisser William répondre, mais c'est encore plus facile pour nous en français :) Une grande partie de la compagnie est Canadienne française, moi inclus. Cordialement

Support

jquintard

Published a day ago

Hello William, Thank you for your reply, I will take a look. Regarding the suggestion to review it together, would it be possible to speak with someone who speaks French? It would be easier for me. Jerome

Support

Erica Poirier

Published 5 days ago

Error message in PAM via Devolutions Workspace on Mobile

Hello, Thank you for your feedback. That's good news that the new version has solved your issue. Best regards,

Support

davidruecklinger

Published 5 days ago

Error message in PAM via Devolutions Workspace on Mobile

Hi! I've updated to 2026.1.6.0 and using the devolutions workspace app 2026.1.0 build 101. Looks like the issue is fixed at this version. Checkout over Devolutions Workspace app is working as expected. Best Regards

Support

Erica Poirier

Published 5 days ago

Error message in PAM via Devolutions Workspace on Mobile

Hello, Thank you for reporting this issue. We will investigate and get back to you shortly. Are you still using DVLS 2025.3.14? If not, we strongly recommend that you update to version 2025.3.16 for this security fix . Best regards,

Support

William Alphonso

Published 7 days ago

PAM or not to PAM

Hello, Thank you for reaching out! You are mostly correct in your understanding of how PAM works in the Devolutions ecosystem. Let me clarify how the different capabilities map to our components. 1. Password rotation Handled directly by the PAM module in Devolutions Server through PAM Providers (for example the Active Directory provider). 2. Protocol break (no direct RDP/SSH access) This is achieved using Devolutions Gateway . Instead of connecting directly to the target host, the session is proxied through the Gateway. 3. Session recording Also handled through Devolutions Gateway , which records sessions when connections are proxied through it. 4. Workflow / approval for privileged access Handled by Devolutions Server PAM using Just-in-Time access policies and approval workflows . 5. Blocking commands or actions This is limited . Devolutions does not act as a command-filtering PAM like some specialized security appliances. However, session control and auditing can still be enforced through Gateway and policies. So for your use case ( 1–3 internally for IT administrators ), the typical architecture is: Devolutions Server + PAM module Devolutions Gateway Remote Desktop Manager (client) About your main question: restricting admins to their own privileged accounts Your scenario with tiered accounts (T0 / T1) is a very common one. When PAM scans Active Directory and imports accounts, they will initially be visible to users who have access to the PAM vault . Visibility is controlled through the Devolutions Server permission model . To ensure that: John Doe can only use t0.jdoe and t1.jdoe Bernard Dupont can only use t0.bdupont and t1.bdupont you typically implement this using permissions on the PAM accounts or folders . For example: Place t0.jdoe and t1.jdoe in a folder assigned to John Doe Place t0.bdupont and t1.bdupont in a folder assigned to Bernard Dupont Then configure View / Use permissions only for the corresponding user. Another common approach is to organize PAM accounts in folders based on ownership or tier , then apply permissions to the relevant users or groups. This ensures each administrator can only see and use their own privileged accounts , even though all accounts exist inside the PAM vault. If you would like, we can also schedule a short support session to review your PAM configuration and help you implement the permission model for your tiered accounts (T0/T1). Sometimes walking through the initial setup together helps ensure everything is structured correctly from the start. Best regards,

Support

jquintard

Published 8 days ago

PAM or not to PAM

Hi there, I don’t understand how the Devolutions PAM works, or I might be missing something. For me, PAM involves several actions: Rotating passwords Protocol break between client/server (for example, no direct access to the RDP port) Recording sessions as video Allowing privileged sessions with a workflow/approval system Potentially being able to block certain actions or commands on systems Which of these actions are handled by Devolutions? I believe that for points 2 and 3, it is necessary to go through Devolutions Gateway. Is that correct? My usage is internal only. I mainly want to use PAM for actions 1 to 3 for the IT Admin team. What I don’t understand now is how to import PAM accounts for individual use. Let me explain : In my Active Directory, I have T0 and T1 OUs (for a tiering model). In T0 and T1, I have admin accounts (e.g., t0.jdoe, t0.bdupont, t1.jdoe, t1.bdupont ). These are the privileged accounts. On the Devolution Server, I therefore have a user John Doe and a user Bernard Dupont. On RDM, each of them has T0 resources (AD VMs, routers, etc.) and T1 resources (business VMs, switches, etc.). How can I ensure that John Doe can only use his own accounts (t0.jdoe on T0 ressources and t1.jdoe on T1 ressources) and not Bernard Dupont’s accounts? At the moment, he can see all of them. Jerome

Support

davidruecklinger

Published 10 days ago

Error message in PAM via Devolutions Workspace on Mobile

Hello! As soon as I check in to PAM via Devolutions Workspace on my smartphone, I receive the following error message by email: Error: ArgumentNullException - Value cannot be null. (Parameter 'g') at System.ArgumentNullException.Throw(String paramName) at System.Guid..ctor(String g) at Devolutions.Server.Controllers.APIControllers.V2.AttachmentController.GetPrivateAttachments(AttachmentFilter filter) at lambda_method1741(Closure, Object, Object[]) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) --- Default Source: System.Private.CoreLib In general, it takes some time for accounts to be upgraded before the changes actually take effect, even if the browser is refreshed or restarted. Concerning Microsoft Entra ID, DVLS 2025.3.14.0

Support

William Alphonso

Published 25 days ago

PAM checkout takes a long time and/or returns error

Hello, Thank you for the feedback. Instead of opening a new thread on the forum, I took the liberty to open you a support case with us because we will need to retrieve some logs. I will mark this thread as resolved and contact you by email in our support case. Best regards,

Support

simone9

Published 25 days ago

PAM checkout takes a long time and/or returns error

Hello William, the "already checked out" and the delay problem with PAM has been solved. Various adjustments, none of which really helped on their own, solved the problem when combined. Thank you for your support. The problem with lost user-specific settings still exists. This is not related to the PAM problem. Should I create a separate post for this in the RDM forum? Thank you and best regards, Simone

Support

William Alphonso

Published a month ago

PAM checkout takes a long time and/or returns error

Hello Simone, Thank you for the additional details. Since we are unable to reproduce the behaviour internally, the next step is to analyze the server-side execution flow during the PAM checkout process. For this, we will need the detailed Devolutions Server logs. Could you please enable Log4Net logging on your Devolutions Server by following this guide: https://docs.devolutions.net/server/kb/how-to-articles/enable-server-log4net-log/ Once enabled, please collect the DPS_Main.log files covering two distinct scenarios: A PAM checkout that takes a long time and/or returns the “credential is already checked out” error A PAM checkout that completes quickly and successfully For each test, please note the exact date and time (including timezone) when the checkout was performed. This is important, as the log files can be quite large and the timestamps will allow us to identify the relevant sections quickly. Once collected, please send the log files by email to service@devolutions.net and use the following subject line: FO-52052 Thank you for your cooperation. With these logs, we’ll be able to compare execution paths between the slow and fast checkouts and proceed with a deeper investigation. Best regards,

Support

simone9

Published a month ago

PAM checkout takes a long time and/or returns error

Hi William, We tried both options: using only the domain in the provider so that the domain controller is selected automatically, and using a fixed DC. Unfortunately, it makes no difference. From the password server, all DCs can be contacted via PowerShell Test on port 636 without delay and in less than a second. The delay only seems to exist via RDM. And only with PAM accounts. Unfortunately, a JIT replication delay does not improve the situation either; the whole process just takes longer. So you have the faulty delay plus the JIT delay. Thanks, Simone

Support

William Alphonso

Published a month ago

PAM checkout takes a long time and/or returns error

Hello, Thank you for the confirmation. It looks like the PAM provider is having issues contacting the DC to perform the JIT Elevation. Would it be possible to confirm if you have a DC configured in the Provider configuration? If you do, could you confirm whether the Devolutions Server can properly contact this DC without any lag or delay? You can test this through PowerShell on the Devolutions Server host directly. If you have multiple DCs in your environment, adding a replication delay on the provider can also prevent any issues when opening a session. The replication delay ensures that the JIT elevation is properly replicated across all DCs before any connection is established. Best regards,

Support

simone9

Published a month ago

PAM checkout takes a long time and/or returns error

Hi William, thank you for your answer. There is no latency configured in the providers. All the employees have their own PAM vaults with personal PAM accounts. We don't use shared PAM accounts so every check out is initiated by only one person. The PAM accounts are marked and shown as checked in before and checked out after. This is the log file entry on these events. [image] I believe that a delay in the provider connections plays a role. When testing the connection to the providers or performing a heartbeat test on the PAM accounts, it sometimes takes a long time (but is successful), and when another heartbeat check is performed immediately afterwards, it is fast. If a heartbeat test is performed on the PAM account immediately before check-out, the check-out problem does not occur. Therefore, we reduced the heartbeat on the providers to 15 minutes for testing purposes, but this did not help. There are also more of these messages in the data source log, but it is not clear whether this is related to the problem. [image] Could we please schedule another appointment to look at it if you don't recognize the problem right away? We would be grateful. Thank you and kind regards, Simone

Support

Michael Beaudin

Published a month ago

Can't use PAM account as credential in Active Directory dashboard entry

Hello Vostok, This has been completed internally and should be available starting from our next major versions of RDM/DVLS (2026.1.x.x). These versions should officially release around mid-March. If you wish to get this improvement sooner, the beta versions for RDM and DVLS should be released next week or the one after so you could test it there. Here is the link where the beta download will appear in the near future : https://devolutions.net/remote-desktop-manager/download/ Best Regards,

Feature Request

William Alphonso

Published a month ago

PAM checkout takes a long time and/or returns error

Hello, Thank you for reaching out! My name is William and I'm here to assist you in any way I can. Would it be possible to confirm if you have a replication latency configured in your PAM Provider with JiT Elevation? [image] This might be the cause of the delay when opening a session using a PAM account. As for the accounts that are showing as already checked out, can you confirm if they are actually marked as checked out in the web interface of your Devolutions Server? Note that only one person can check out an account at a time. Best regards,

Support

simone9

Published a month ago

PAM checkout takes a long time and/or returns error

Hello, we are currently experiencing significant issues with RDM and hope that you can assist us. When connecting a session with PAM credentials, the checkout dialog with JIT group appears, but shortly thereafter we receive a message that the account is already checked out. Prior to this connection attempt, the user was checked in. And even if it was checked out, the connection could be established directly without the checkout dialog. A few points at a glance: - Current versions: RDM 2025.3.29.0 / DVLS 2025.3.14.0. The problem has only existed since 2025.3.x, but it is unclear exactly since which version, approx. 8 weeks. - All users use the same RDM version, some locally, some via RDS. - The problem occurs with different PAM providers, but not always and not with all users. - When connecting to a session, the PAM checkout dialog appears immediately, but then it takes a long time to establish the session, up to 17 seconds, even for successful logins without error messages. - Logins are fast with non-PAM credentials. - Manual checkout of accounts (in the PAM vault) also takes a long time. - From time to time, employees lose their user-specific settings, and all stored credentials are then gone, leaving the list empty. This also affects some users more often than others. Thank you and kind regards, Simone

Support

Marc-Antoine Dubois

Published 2 months ago

Scan doesn't return any users

Hi Stephen, Thank you for reaching out! To troubleshoot this, I'll need the logs, which contain sensitive information. I sent you a private message with the steps on how to send them to us. We can post the solution here afterwards. Best regards,

Support

stephencourtney1

Published 2 months ago

Scan doesn't return any users

We've trialling the PAM system at the moment, and I'm having problems with the scans - they don't seem to return any users at all. The following are in place: A provider setup (for our Active Directory) and the connection test passes A scan configuration, for an OU in that directory that contains users If I run the scan (or wait for it to run as scheduled) I don't get any results.

Support

Patrick Ouimet

Published 2 months ago

Configure Permissions on Multiple Accounts in same folder of same PAM Vault

Hello derrybirse , Thank you for reaching out to the Devolutions support team. Depending on the version you are using, it could be different. But on the latest version 2025.3, the permissions are inherited by default. Which means, the PAM account will inherit the permissions from the folder or the one at the top. In your use case, to keep it simple, I suggest keeping your L1 folder, but creating 2 sub-subfolders. L1_01 and L1_02. Under it, you can configure your permissions per user or per group. By the Grant access option, it could be done in a couple of clicks. Best regards,

Support

External resources

Devolutions Documentation

Status Page

Technical SupportEmail : service@devolutions.netPhone : + 1 844 463.0419