This is my CyberArk troubleshooting post to record those issues I met during working on CyberArk PAS (Privileged Account Security) Solutions . This post is focus on PSM. I have another two posts are for PVWA and CPM.

  • PSM: This app has been blocked
  • Issue: Network Level Authentication Disabled
  • Issue: RDS Installation – Collection Role failed to create
  • Issue: Remote Desktop Licensing mode is not configured
  • Issue: SSH through PSM failed
  • Issue: RDP Remote through PSM failed using local admin account
  • PSM Session Failed Login – Username and Password is incorrect. 
  • PSMSR196E PSM is not enabled or not defined for policy
  • Error: The privileged session could not be established securely.
  • Remote Connection from PSM to Target Server Error
  • PSMSR196E PSM is not enabled or not defined for policy
Related posts:

This app has been blocked 

1. Using PSM SSH to connect to Remote Site but got an error
“This app has been blocked by your system administrator.”

Resolution:

Reference: https://cyberark-customers.force.com/s/article/00004458

Network Level Authentication Disabled

2. NLA Enabled on PSM servers

Resolution:
You can use domain group policy to fix this.

RDS Installation – Collection Role failed to create

When install RDS role on PSM server, you might meet RDS Collection Role Creation Failed error.

Resolution:
Group Policy related. Move PSM servers out of regular Domain OU to a new OU without any group policy on it except default domain group policy.

Remote Desktop Licensing mode is not configured

RDS License issue
Remote Desktop Licensing mode is not configured. Remote Desktop Services will stop working in 123 days. On the RD Connection Broker server, use Server Manager to specify the Remote Desktop Server.

Resolution:
You will need to add license before it is expired.

SSH through PSM failed

Symptoms:
Trying to a remote ssh through PSM, but got following failed message. RDP to same network’s server was fine.

Cause and Solution:
It has been caused by global policy removed PSMShadowusers access locally.

RDP Remote through PSM failed using local admin account

Trying to log in remote server through PSM using local admin account, failed with following error.

Resolution:
It is network connectivity issue between PSM and Remote Destination. If you met this error, try to RDP directly from PSM server to see if you will meet this issue or not.

PSM Session Failed Login – Username and Password is incorrect.

Using PVWA to connect to remote RDP servers, but failed log into PSM server before PSM can launch remote server’s RDP session. It gives out an error “The username and password is incorrect”.

This usually relates to PSM server’s local accounts:
1. PSMCONNECT – for RDP session to log into PSM servers.
2. PSMADMINCONNECT – for auditor monitoring to use

The password for those two accounts might lost sync to the vault. You can just use PVWA to show password then copy it to PSM server local user. Basically it is to change PSM server’s psmconnect and psmadminconnect account’s password to match vault’s password.

PSMSR196E PSM is not enabled or not defined for policy

It happened when PSM was just installed and tried to use PVWA to test PSM with connect button.
PSM has been registered with PVWA. Confirmed Option setting for PSM to use ActiveX set to never.  Mostly it is because of delay of system, I am guessing. It went away after a while.

Error with Network Level Authentication and CredSSP encryption oracle remediation

All following error messages are same issue. The error is relating to Remote Desktop settings. Uncheck “Allow connections only from computer running Remote Desktop with Network Level Authentication (Recommended)” from all of your PSM servers, and target servers.
An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

PSMRD001E User was disconnected from remote machine. Reason: [An internal error has occurred.] (Code: 519)

There are some solutions from :  https://support.microsoft.com/en-au/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm

Another Configuration for your environment if the setting has been disabled by your domain group policy, you might try from Server Manager – Remote Desktop Services – Collections – <RDP Server> – Tasks – Edit Properties – Security – Uncheck NLA settings.

Error: The privileged session could not be established securely. Contact your system administrator.

Most likely your PSM service is down. You can confirm that from services.msc or CyberArk PVWA System health page.

Remote Connection From PSM to Targets Error

Mostly it is caused by remote target server’s RDP service not up or network connection broken between PSM and targets.

PSM is not enabled or not defined

PSMSR196E Privileged Session Management is not enabled or not defined for policy

Add PSM to your platform. Restart your PSM service to take this change into effect.

By Jonny

Leave a Reply