Connecting to servers¶

Problem	Symptoms and solution
Cannot connect to server	Symptoms: User cannot log in. Events log entry: Authentication failed: Invalid username kowalski or password.
	Solution: Verify that user definition exists in Fudo PAM database. Make the login credentials are correct. Make sure that the client software does not have outdated credentials stored. Check if the user has a domain defined and make sure it is provided when attempting to log in. If there are two users with the same login, one of which has the domain configured the same as the default domain, and the other does not have the domain defined, Fudo PAM will report authentication problem as it cannot determine which user is trying to connect.

	Symptoms: events log entry: Unable to establish connection to server zbigniew (10.0.35.53:3399).
	Cause: incorrect server configuration.
	Solution: Verify that the server in question is properly configured (IP address, port number). Check if the server is reachable from Fudo PAM: Log in to Fudo PAM administration panel. Select Settings > System, Diagnostics tab. Enter server address in the Ping section and execute command and test host’s availability. Check if the server is reachable on given port number: Log in to Fudo PAM administration panel. Select Settings > System, Diagnostics tab. Enter server address along with the port number in the Netcat section and execute command.

	Symptoms: Message in client software: Cannot establish new connection because the capacity of the filesystem has been reached.
	Cause: Storage usage has reached 90%.
	Solution: Delete sessions to free up storage space.

Problem	Symptoms and solution
When logging in not all of the users see the Fudo PAM logon screen.	Cause: Credentials stored in RDP client result in users being automatically logged in to remote host. Credentials stored in RDP client, user is successfully authenticated against credentials stored so the Fudo PAM logon screen is not displayed. Next, Fudo PAM forwards user credentials to target server but they are no longer valid which results in Windows gina being displayed.
	Symptoms: Client software message: Connection closed by remote host. Events log entry: Failed to authenticate against the server as user root using password.
	Cause: incorrect login credentials.
	Solution: provide correct login credentials in server configuration.

	Symptoms: RDP client message: Connection refused. SSH client message: ssh: connect to host 10.0.1.111 port 10011: Connection refused
	Cause: server has been blocked.
	Solution: log in to Fudo PAM administration panel and unblock the server.

Problem	Symptoms and solution
Connection is terminated	Symptoms: User tries to log in to server monitored by Fudo PAM, after entering username and password session is immediately terminated. Events log entry: TLS certificate verification failed.
	Solution:
	Download new target host certificate in the Target host section.

	Symptoms: After entering username and password the connection is terminated. Events log entry: RDP connection error.
	Solution: check if in the General tab in TCP-Rdp properties, the Encryption level option is not set to `FIPS Compliant`.

Cannot connect to server	Symptoms: Cannot log in to server with error message User user0 not allowed to connect to server. Events log entry: Authentication failed: User user0 not allowed to connect to server.
	Cause: user is not assigned to proper connection.
	Solution: add user to appropriate connection object.

Problem	Symptoms and solution
	Symptoms: After entering username and password, the screen freezes. Events log entry Terminating session: User user0 (id=848388532111147010) is blocked.
	Cause: user is blocked.
	Solution: log in to Fudo PAM administration panel and unblock the user in question.

User has to provide login credentials twice	Symptoms: user connecting over RDP protocol enters login credentials and immediately afterwards is asked again for the same login information.
	Cause: server is a part of an infrastructure managed by connections broker which has detected an active user’s session on another server.

	Symptoms: user connecting over SSH protocol enters login credentials and immediately afterwards is asked again for login information.
	Cause: in connection object options for login and password substitution are enabled but the input fields are left blank which results in two fold authentication - first time against Fudo PAM and second time against the target host.

Cannot connect to server over RDP protocol	Symptoms: User connecting over RDP is disconnected a moment after establishing connection. Events log entry: RDP server 10.0.0.:33890 has to listen on the default RDP port in order to redirect sessions.
	Cause: connection is redirected to a host which does not listen on port number 3389.
	Solution: configure server in question so it accepts user connections on port number 3389.

	Symptoms: Events log entry: User user0 has no access to host 192.168.0.1:3389
	Cause: connections broker determines an existing user session on another server and redirects user to that host but it is not configured on Fudo PAM or the user does not have sufficient access rights to connect to given server.
	Solution: Make sure that the server object exists. Add user to proper safe object.

Problem Symptoms and solution

Cannot connect to Telnet5250 server using PC5250 client revision 20091005 S/20111019 S Symptoms: cannot establish connection to target host.

Cause: in case of aforementioned client applications, Fudo PAM requires setting up additional objects to enable TCP traffic on ports number 449, 8470 and 8476.

Soluiton:

Add Telnet TN5250 server with default port number.
Add three server objects with TCP protocol and following port numbers 449, 8470 and 8476.
Add TN5250 listener, in Proxy mode with default port number.
Add three TCP listener objects, in Proxy mode, with port numbers 449, 8470 and 8476.
Add regular account, define authentication parameters and assign it to the main TN5250 server definition.
Add three anonymous accounts and assign each to one of supporting servers.
Add safe and assign account with corresponding listeners.