This is my CyberArk troubleshooting post to record those issues I met during working on CyberArk PAS (Privileged Account Security) Solutions . This post is focus on PSM. I have another two posts are for PVWA and CPM.
- PSM: This app has been blocked
- Issue: Network Level Authentication Disabled
- Issue: RDS Installation – Collection Role failed to create
- Issue: Remote Desktop Licensing mode is not configured
- Issue: SSH through PSM failed
- Issue: RDP Remote through PSM failed using local admin account
- PSM Session Failed Login – Username and Password is incorrect.
- PSMSR196E PSM is not enabled or not defined for policy
- Error: The privileged session could not be established securely.
- Remote Connection from PSM to Target Server Error
- PSMSR196E PSM is not enabled or not defined for policy
This app has been blocked
1. Using PSM SSH to connect to Remote Site but got an error
“This app has been blocked by your system administrator.”
Resolution:
Reference: https://cyberark-customers.force.com/s/article/00004458
Network Level Authentication Disabled
2. NLA Enabled on PSM servers
Resolution:
You can use domain group policy to fix this.
RDS Installation – Collection Role failed to create
When install RDS role on PSM server, you might meet RDS Collection Role Creation Failed error.
Resolution:
Group Policy related. Move PSM servers out of regular Domain OU to a new OU without any group policy on it except default domain group policy.
Remote Desktop Licensing mode is not configured
RDS License issue
Remote Desktop Licensing mode is not configured. Remote Desktop Services will stop working in 123 days. On the RD Connection Broker server, use Server Manager to specify the Remote Desktop Server.
Resolution:
You will need to add license before it is expired.
SSH through PSM failed
Symptoms:
Trying to a remote ssh through PSM, but got following failed message. RDP to same network’s server was fine.
Cause and Solution:
It has been caused by global policy removed PSMShadowusers access locally.
RDP Remote through PSM failed using local admin account
Trying to log in remote server through PSM using local admin account, failed with following error.
Resolution:
It is network connectivity issue between PSM and Remote Destination. If you met this error, try to RDP directly from PSM server to see if you will meet this issue or not.
PSM Session Failed Login – Username and Password is incorrect.
Using PVWA to connect to remote RDP servers, but failed log into PSM server before PSM can launch remote server’s RDP session. It gives out an error “The username and password is incorrect”.
This usually relates to PSM server’s local accounts:
1. PSMCONNECT – for RDP session to log into PSM servers.
2. PSMADMINCONNECT – for auditor monitoring to use
The password for those two accounts might lost sync to the vault. You can just use PVWA to show password then copy it to PSM server local user. Basically it is to change PSM server’s psmconnect and psmadminconnect account’s password to match vault’s password.
PSMSR196E PSM is not enabled or not defined for policy
It happened when PSM was just installed and tried to use PVWA to test PSM with connect button.
PSM has been registered with PVWA. Confirmed Option setting for PSM to use ActiveX set to never. Mostly it is because of delay of system, I am guessing. It went away after a while.
Error with Network Level Authentication and CredSSP encryption oracle remediation
PSMRD001E User was disconnected from remote machine. Reason: [An internal error has occurred.] (Code: 519)
There are some solutions from : https://support.microsoft.com/en-au/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm
Another Configuration for your environment if the setting has been disabled by your domain group policy, you might try from Server Manager – Remote Desktop Services – Collections – <RDP Server> – Tasks – Edit Properties – Security – Uncheck NLA settings.
Error: The privileged session could not be established securely. Contact your system administrator.
Most likely your PSM service is down. You can confirm that from services.msc or CyberArk PVWA System health page.
Remote Connection From PSM to Targets Error
Mostly it is caused by remote target server’s RDP service not up or network connection broken between PSM and targets.
PSM is not enabled or not defined
PSMSR196E Privileged Session Management is not enabled or not defined for policy
Add PSM to your platform. Restart your PSM service to take this change into effect.
