Gateway recording

Hello Jonas,

Thank you for reaching to our Forum, for Devolutions Gateway session recording with Hub, the PAM Service is mandatory. In this context, the “PAM Service” is the Hub component used to enable and broker session recording as well.
That is why you are seeing: “No PAM Service connected for this hub”.
It means your Hub currently has no PAM Service connected, so recordings cannot be accessed.
What to do next:
Deploy/install Devolutions PAM Service and connect/register it to your Hub:
https://docs.devolutions.net/pam/hub/pam-service/
In Hub, enable Session recording and associate it with the connected PAM Service:
https://docs.devolutions.net/hub/web-interface/administration/configuration-security/system-settings/#session-recording

After the PAM Service is connected and session recording is enabled, recordings generated through the Gateway should become available.
Note: The “PAM vault is empty” part is related to privileged accounts. You will only see entries there once PAM is configured with a provider/vault and contains accounts (with the right
permissions). This is separate from the requirement of having PAM Service connected for session recording.

Best regards,

thanks for this info,
i followed both the links and did all the steps, now i don't receive the error anymore but my recordings list stays empty, i dont see my recordings

Hello Jonas,

Thank you for the additional details. At this point, the only remaining issue is in the Session Recording settings in RDM. The drop-down list under Recording should be set to Remote instead of Local. Could you try that and let me know the result, please?

Best regards,

so close now,
the sessions get recorded but file is not found when i try to download or play

Hey Jonas,

Thank you for your feedback. Can you confirm that the service account running the Devolutions Gateway service has Full Control, or at least Modify/Read/Write permissions on the recording folder, and then restart the service?
If you open the file that handles the recording, are you able to run it from outside Hub as well? As a quick test, can you also go to Hub Administration > Application Identity, edit the PAM app, and grant it administrator rights for testing?
Also, do you see any errors in Event Viewer on the Gateway machine related to the PAM application?

Best regards,

The recording folder stays empty while all users have full rights to it:


what i do see in the eventviewer is an ssl error:

Hello Jonas,

From what you described, recordings are now being initiated (Hub shows the entries), but playback/download fails with “file not found” and the recording folder remains empty. You also mentioned an SSL/TLS error in Event Viewer.

To pinpoint this quickly, could you provide the following:

1. Event Viewer “inner exception”

• On the Gateway server, open the exact SSL error event (Devolutions Hub PAM Service / PamSignalRService) and copy/paste the full text including the inner exception (Details/XML view is fine). This will tell us whether it’s a trust-chain issue, name mismatch, TLS handshake/cipher issue, proxy inspection, etc.

1. Gateway HTTPS trust + health (from the same workstation you record from)

• Open: https://:7171/jet/health
• Confirm:
  • It reports healthy
  • There is no certificate warning
  • The certificate name/SAN matches the exact Gateway FQDN used.

If there is a certificate warning (often due to self-signed cert), please confirm and share whether the Gateway is using a self-signed certificate.
3.Hub reachability from the Gateway host

• From the Gateway server itself, open Devolutions Hub in a browser and confirm the certificate is valid.
• Confirm whether there is any HTTPS inspection proxy/firewall or private DNS override between the Gateway server and the public Internet.

Once we have the inner exception text + the jet/health result, we can give you the exact fix (typically: install missing CA/intermediate certificates on the Gateway server/service trust store, replace the Gateway self-signed cert with a CA-signed cert, or address proxy/DNS/TLS policy issues).

Best regards,

Hello Jonas,

Thank you for your reply , I reviewed the thread and the screenshots. Summary and next steps below.
Summary / root cause (short)

• Hub shows recording metadata but the recording files are never uploaded to disk.
• Event Viewer shows repeated PamSignalRService SSL errors and the Gateway is using a self-signed cert issued to localhost (browser shows NET::ERR_CERT_AUTHORITY_INVALID).
• Conclusion: the PAM Service / Gateway cannot establish a trusted TLS connection to Hub, so the file transfer fails (metadata created in Hub, file upload aborted). This is a TLS trust/hostname mismatch — not a filesystem permission issue.

Immediate actions to fix (perform in order)

1. Replace the Gateway certificate
   • Use a certificate whose CN/SAN matches the Gateway FQDN you use in Hub (do not use localhost).
   • Prefer a CA-signed cert (public CA or your internal PKI).
   • If you cannot get a CA-signed cert immediately, create a certificate that uses the proper FQDN and import its issuing CA into the Gateway server trust store (steps below).
2. Install the issuing CA on the Gateway host
   • On the Gateway server, import the issuing CA (root and any intermediates) into LocalMachine → Trusted Root Certification Authorities.
   • Ensure the Gateway service account and system processes trust that CA.
3. Verify HTTPS trust and hostname
   • From the Gateway server and from the workstation used to record, open:
   • https://<gateway-fqdn>:7171/jet/health
   • → should respond “alive and healthy” and the browser should show no certificate warning.
   • From the Gateway server, open your Hub web UI URL and confirm Hub’s certificate is trusted with no warnings.
   • Confirm there is no TLS inspection / re-signing device between Gateway and Hub (corporate proxies / WAFs sometimes break trust).
4. Restart services
   • Restart the Pam service.
5. Verify Hub/Gateway recording workflow (order)
   • First, confirm there are no new SSL errors in Event Viewer for Devolutions Hub PAM Service (PamSignalRService). If errors remain, capture the full XML inner exception and stop here.
   • In Hub Web Administration → Gateway, run a Publish Public Revocation List (force a config push / revocation publish) to exercise the Hub↔Gateway publish path.
   • Then reproduce a recorded session, check the recording directory on the Gateway host for files, and attempt playback/download in Hub.

If it still fails after these steps, please provide:

• The full Event Viewer XML for one recent PamSignalRService SSL error (use Details → XML view and paste the inner exception).
• A screenshot or paste of the /jet/health response from both the Gateway host and your recording workstation (show browser address bar if it warns).
• The Hub Web Administration → Gateway publish/revocation attempt result (screenshot or log) after you run the public revocation list.
• A directory listing of the recording folder on the Gateway host after you reproduce.

For your Ref: https://docs.devolutions.net/gateway/getting-started/hub/hub-business-configuration/

Best regards,