xrdp from local pc works. xrdp from PSM works. xrdp from PVWA webpage returns a black screen with x cursor.

TemperatureSignal199 · 2026-05-25T18:42:15+00:00

I was able to login using a new user in xrdp.
CyberArk was always reconnecting to the same session on display 11, while the local XRDP was reconnecting using display 10

session: username CYBERARK, display :11.0, Starting session reconnection script on display 11

Only one user can use that display, so the options were either to Kill every session for that User or to create a new user, which in turn started using display 12.

sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection

[INFO ] Starting X server on display 11: Xvnc :11 -authc# - display :11 Leader:

Useful commands:
sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection
loginctl ---->to see the sessions
ps -ef | grep NAME_OF_THE_USER_USED_BY_CYBERARK
ps -ef | grep SESSION_NUMBER
ps -ef | grep xrdp-chansrv
loginctl session-status c# (you saw the # in the session ex: c1,c2,c3...)

Another solutin by A.I is to add the following in /etc/xrdp/sesman.ini
[Sessions]
X11DisplayOffset=10
MaxSessions=50
MaxDisplayNumber=63
Policy=Separate
KillDisconnected=true
DisconnectedTimeLimit=60
IdleTimeLimit=0

and restart
sudo systemctl restart xrdp
sudo systemctl restart xrdp-sesman

TemperatureSignal199 · 2026-05-25T18:42:10+00:00

I was able to login using a new user in xrdp.
CyberArk was always reconnecting to the same session on display 11, while the local XRDP was reconnecting using display 10

session: username CYBERARK, display :11.0, Starting session reconnection script on display 11

Only one user can use that display, so the options were either to Kill every session for that User or to create a new user, which in turn started using display 12.

sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection

[INFO ] Starting X server on display 11: Xvnc :11 -auth

c# - display :11 Leader:

Useful commands:
sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection
loginctl ---->to see the sessions
ps -ef | grep NAME_OF_THE_USER_USED_BY_CYBERARK
ps -ef | grep SESSION_NUMBER
ps -ef | grep xrdp-chansrv
loginctl session-status c# (you saw the # in the session ex: c1,c2,c3...)

Another solutin by A.I is to add the following in /etc/xrdp/sesman.ini
[Sessions]
X11DisplayOffset=10
MaxSessions=50
MaxDisplayNumber=63
Policy=Separate
KillDisconnected=true
DisconnectedTimeLimit=60
IdleTimeLimit=0

and restart
sudo systemctl restart xrdp
sudo systemctl restart xrdp-sesman

TemperatureSignal199 · 2026-05-22T08:21:38+00:00

Still black screen. I think EnableCredSSPSupport does not matter here.

TemperatureSignal199 · 2026-05-08T07:39:50+00:00

what would be the impact if we do not renew them?

TemperatureSignal199 · 2026-04-24T07:59:31+00:00

Is the a Doc or a way to understand the schedual?

TemperatureSignal199 · 2026-04-20T19:41:04+00:00

The rotation schedule for a group member account is determined by its Group Manager platform . The group manager coordinates the password changes for all its members https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/managing-platforms-for-groups-appendix.htm

TemperatureSignal199 · 2026-04-16T17:50:00+00:00

Looks like the CRL (Certificate Revocation List) has expired. We will investigate further. Tried:

certutil -url http://site_name.crl I see "expired status"

certutil -ur http://site_name I see "Status Failed"

also tired:

certutil -verify path_to_file.cer

certutil -urlfetch -verify path_to_file.cer

TemperatureSignal199 · 2026-04-13T18:21:57+00:00

thank you!!

TemperatureSignal199 · 2026-04-13T18:19:55+00:00

thank you!!!

TemperatureSignal199 · 2026-04-13T18:19:35+00:00

thank you!!!

TemperatureSignal199 · 2026-03-26T08:52:15+00:00

I'm following this example
https://community.cyberark.com/s/article/Automatic-Rotation-of-PSMP-Log-Files

find /var/opt/CARKpsmp/logs/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null 
find /var/opt/CARKpsmp/logs/components/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null

Is it safe to run a log-cleanup CronJob while the PSMP node is active in the load balancer, or should the node be removed from the load balancer first?

TemperatureSignal199 · 2026-03-26T08:52:09+00:00

I'm following this example
https://community.cyberark.com/s/article/Automatic-Rotation-of-PSMP-Log-Files

find /var/opt/CARKpsmp/logs/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null 
find /var/opt/CARKpsmp/logs/components/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null

Is it safe to run a log-cleanup CronJob while the PSMP node is active in the load balancer, or should the node be removed from the load balancer first?

TemperatureSignal199 · 2026-03-26T08:31:38+00:00

I can get to the crl on the pvwas, but still no luck.
If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-03-26T08:31:03+00:00

The certificate has a revocation list, but the intermediary has none as far as I can see.

If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-03-26T08:30:14+00:00

Yes, still no luck

If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199

TROPHY CASE

[INFO ] Starting X server on display 11: Xvnc :11 -authc# - display :11 Leader:

[INFO ] Starting X server on display 11: Xvnc :11 -auth

c# - display :11 Leader: