Devolutions ForumDevolutions Forum

Cyberark - Unable to override HTML5 vs PSM for RDP using PVWA credential

A fix for this issue has been implemented in version 2025.2.13.1

Cyberark - Unable to override HTML5 vs PSM for RDP using PVWA credential

avatar
fflaten

RDP sessions using a PVWA credential with PSM Connection resolution mode behave different depending on connection component

  • Component requiring host input prompts for reason + HTML5 vs PSM
  • Component without host input does not prompt. Unable to provide optional reason and always uses default setting for HTML5 vs PSM.


Can this be controlled? Bug?

avatar
Xavier Fortin

Recommended Answer

Thanks for this! It pretty much looks as I expected. I've already made a fix for this which should be available in the release of RDM 2025.2.13.0 which, hopefully, should release tomorrow.

Best regards,

Xavier Fortin

2

All Comments (7)

avatar
Alexandre Bélisle

Hello,

Thanks for your patience. In an attempt to test and replicate the described behavior, we encountered some minor issues on our own CyberArk Environment.
We'll be back shortly with our results.

Best regards,

Alex Belisle

1
avatar
Marc-Antoine Dubois

Hi,

I just wanted to say we're looking into this.

I've opened the discussion with the developers and they'll have a look on Monday.

I'll keep you posted.

Best regards,

Marc-Antoine Dubois

1
avatar
Xavier Fortin

Hi,

I believe I reproduce your issue. It is most likely an issue in how we evaluate the requirement to prompt for options.

To help me confirm this, could you get us the response of the "Prerequistes" call. To do so, in RDM:

  1. Open the Help -> Performance profiling tab
  2. Select the Debug tab
  3. Click the "..." button
  4. Make sure API, Debug, Profile manager and Show log silent error are checked
  5. Now, while keeping the Performance profiler window open, try launching the entry that does not prompt for any prerequisites
  6. Copy the content of the Performance profiler window text view and share it here (you can sanitize it for any sensitive information, I'm mainly interested in the IsRequired flags)


Best regards,

Xavier Fortin

avatar
fflaten 
Double click triggered
Double click node:Entra Portal
CyberArkManager.GetAccount::Begin - AccountID: 1234_3
CyberArkManager.GetAccount::received ID 1234_3, Name Cloud Service-<REDACTED>, Address = contoso.onmicrosoft.com, Username = <REDACTED>, SafeName = SAFE_123
CyberArkManager.GetAccount::End - AccountID: 1234_3
CyberArkManager.GetAccountExtended::Begin - AccountID: 1234_3
CyberArkManager.GetAccountExtended::received ID 1234_3, Name Cloud Service-<REDACTED>, Address = contoso.onmicrosoft.com, Username = <REDACTED>, SafeName = SAFE_123
CyberArkManager.GetAccountExtended::End - AccountID: 1234_3
CyberArkManager.GetAccountPrerequisites::Begin
Prerequisites for https://pam.contoso.com/PasswordVault/api/Accounts/1234_3/Prerequisites:
{
  "Connection": {
    "ConnectionUserParameters": [
      {
        "AllowNewValues": false,
        "AllowSave": false,
        "DisplayName": "Koble til med HTML5",
        "Name": "AllowSelectHTML5",
        "Required": false,
        "RequiredInDualControlRequest": false,
        "Type": "Boolean",
        "Value": "Yes",
        "ValuesList": null
      }
    ],
    "Required": true
  },
  "DualControl": {
    "AccountDescriptor": "<REDACTED>",
    "AdditionalInformationParams": {},
    "AllowMultipleAccess": true,
    "AllowTimeframe": true,
    "ConfirmedConnectionComponentID": null,
    "DefaultMultipleAccess": false,
    "DefaultTimeFrame": 2880,
    "ExistingNonConfirmedRequest": false,
    "ForceMultipleAccess": false,
    "ForceTimeframe": false,
    "FromTime": 288000000000,
    "IsMultiLevel": false,
    "MaxTimeFrame": 7200,
    "RequestID": "",
    "Required": false,
    "ShowAdditionalInformation": false,
    "TotalConfirmers": 1,
    "ToTime": 612000000000
  },
  "Reason": {
    "AllowFreeText": true,
    "PreDefinedReasons": [],
    "Required": false
  },
  "Required": true,
  "Ticketing": {
    "Required": false,
    "SkipDualControlPossible": false,
    "TicketingSystems": []
  }
}
CyberArkManager.GetAccountPrerequisites::End
CyberArkManager.PSMConnect::Begin
CyberArkManager PSMConnect URL: https://pam.contoso.com/PasswordVault/api/Accounts/1234_3/PSMConnect
CyberArkManager.PSMConnect::End

HTML5 RDP parameters received from PVWA::Begin
{"PSMGWURL":"https://html5-psm.contoso.com/guac/direct","PSMGWRequest":"<REDACTED>"}HTML5 RDP parameters received from PVWA::End

rdpClientAdvancedSettings4.AuthenticationLevel:0
rdpClientAdvancedSettings6.EnableCredSspSupport:False
Silent: System.IO.IOException: The specified registry key does not exist.
   at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
   at Microsoft.Win32.RegistryKey.GetValueKind(String name)
   at Devolutions.RemoteDesktopManager.Managers.PolicyManager.get_IsRDPRestrictedAdminModePolicyEnabled()
Eksternt skrivebord kan ikke koble til den eksterne datamaskinen på grunn av én av følgende årsaker:

1) Ekstern tilgang til serveren er ikke aktivert
2) Den eksterne datamaskinen er slått av
3) Den eksterne datamaskinen er ikke tilgjengelig på nettverket.

Kontroller at den eksterne datamaskinen er slått på og koblet til nettverket, og at ekstern pålogging er aktivert. | reason: 516 | extended: exDiscReasonNoInfo
RDP - Disconnect:516 / exDiscReasonNoInfo


avatar
Xavier Fortin

Thanks for this! It pretty much looks as I expected. I've already made a fix for this which should be available in the release of RDM 2025.2.13.0 which, hopefully, should release tomorrow.

Best regards,

Xavier Fortin

2
avatar
fflaten

Thanks. Using RDM 2025.2.13.1, RDP-entries show the prompt for HTML5 as expected. I appreciate the help and quick fix

avatar
Xavier Fortin

Glad to hear it!

Do not hesitate to reach back if you ever encounter another issue.

Best regards,

Xavier Fortin

A fix for this issue has been implemented in version 2025.2.13.1