Skip to content
CA Privileged Access Manager - 2.8.3
Documentation powered by DocOps

Configure Windows Target Device Options

Last update May 16, 2017

This content describes how to configure the following options for Windows target devices:

Network Level Authentication Login

Windows administrators can configure their servers to require Network Level Authentication (NLA) before the user is prompted to enter their credentials to lower the risk of DoS attacks. CA Privileged Access Manager accommodates this network level request so that it can complete connections.


This feature assumes and addresses the Allow connections only from computers running Remote Desktop with Network Level Authentication setting configured on the General tab of the RDP-Tcp Properties dialog.

CA Privileged Access Manager Configuration

In CA Privileged Access Manager, provision User access to the target Device described previously. Note that (as previously) in the Device record only the Device Name, its Address, and the Access Method: "RDP" are mandatory; however, no additional CA Privileged Access Manager configuration is required to handle the NLA requirement.

User Experience

When a user selects the RDP Access Method, the RDP Access Method splash page appears, and then the CA Privileged Access Manager security window prompts for the NLA-based credentials request. After the user enters their credentials, CA Privileged Access Manager submits them to the target device to complete login.

Note: If password push (see next section) is applied to a Device, this login prompt is overridden.

Always Prompt for Password Enforcement

In the Windows Remote Desktop Services (Terminal Services) Configuration server interface, there is an option that is labeled Always prompt for password. This option allows the Windows administrator to force a password prompt even when the client workstation has been configured to connect automatically.

Note: If NLA is enabled on an RDP server that is configured with the TLS security layer (the default for Windows Server 2008/2012), the Always prompt for password option is ignored. That is, users are not prompted for passwords even if the option is enabled. To support the Always prompt for password mechanism, the RDP server must be configured with the RDP security Layer.

CA Privileged Access Managercan be configured at the Device Group level to automatically populate that prompt (with the password obfuscated), and thus force an auto-connection that has been configured (at the Device level) for any Device in that Device Group.


This feature assumes and addresses the following setting on a Windows target device.
For example, on Windows Server: Open Start > Administrative Tools > Terminal Services Configuration, open Terminal Services > Connections, select and right-click RDP-Tcp, select Properties, select tab Logon Settings. This setting forces the login prompt to always be presented.

CA Privileged Access Manager Configuration

The following procedure assumes that you have already prepared Users, Devices, target accounts, and associated policies for auto-connection access using those target accounts.

  1. Log in to CA Privileged Access Manager as an administrator (for example, as "super").
  2. Navigate to Devices > Manage Groups.
  3. Either double-click an existing Device Group record, or click the Create Device Group link to open a new record template.
  4. Click in the Devices field, and from the drop-down menu, select the target Devices that require password push when policy is configured for auto-connection.
  5. At the bottom of the Device Group template, in the section Enable, select the checkbox Provide Credentials for "Always Prompt for Password".
  6. Navigate to Policy > Manage Policies.
  7. Prepare a policy for the User/User Group and the Device Group that you previously configured, and with Access = "RDP", and Save.
    Password push is now enabled.

User Experience

When a CA Privileged Access Manager User selects the RDP Access Method the following actions occur:

  1. The RDP Access Method splash page appears.
  2. The RDP window displays the Windows login screen.
  3.  CA Privileged Access Manager immediately overrides the login prompt and a 10 second delay occurs, during which the User sees a countdown screen until auto-connection is effected.
    The remote user is logged in.
Was this helpful?

Please log in to post comments.