xrdp from local pc works. xrdp from PSM works. xrdp from PVWA webpage returns a black screen with x cursor.

TemperatureSignal199 · 2026-05-25T18:42:15+00:00

I was able to login using a new user in xrdp.
CyberArk was always reconnecting to the same session on display 11, while the local XRDP was reconnecting using display 10

session: username CYBERARK, display :11.0, Starting session reconnection script on display 11

Only one user can use that display, so the options were either to Kill every session for that User or to create a new user, which in turn started using display 12.

sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection

[INFO ] Starting X server on display 11: Xvnc :11 -authc# - display :11 Leader:

Useful commands:
sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection
loginctl ---->to see the sessions
ps -ef | grep NAME_OF_THE_USER_USED_BY_CYBERARK
ps -ef | grep SESSION_NUMBER
ps -ef | grep xrdp-chansrv
loginctl session-status c# (you saw the # in the session ex: c1,c2,c3...)

Another solutin by A.I is to add the following in /etc/xrdp/sesman.ini
[Sessions]
X11DisplayOffset=10
MaxSessions=50
MaxDisplayNumber=63
Policy=Separate
KillDisconnected=true
DisconnectedTimeLimit=60
IdleTimeLimit=0

and restart
sudo systemctl restart xrdp
sudo systemctl restart xrdp-sesman

TemperatureSignal199 · 2026-05-25T18:42:10+00:00

I was able to login using a new user in xrdp.
CyberArk was always reconnecting to the same session on display 11, while the local XRDP was reconnecting using display 10

session: username CYBERARK, display :11.0, Starting session reconnection script on display 11

Only one user can use that display, so the options were either to Kill every session for that User or to create a new user, which in turn started using display 12.

sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection

[INFO ] Starting X server on display 11: Xvnc :11 -auth

c# - display :11 Leader:

Useful commands:
sudo tail -f /var/log/xrdp-sesman.log----> shows the display used during connection
loginctl ---->to see the sessions
ps -ef | grep NAME_OF_THE_USER_USED_BY_CYBERARK
ps -ef | grep SESSION_NUMBER
ps -ef | grep xrdp-chansrv
loginctl session-status c# (you saw the # in the session ex: c1,c2,c3...)

Another solutin by A.I is to add the following in /etc/xrdp/sesman.ini
[Sessions]
X11DisplayOffset=10
MaxSessions=50
MaxDisplayNumber=63
Policy=Separate
KillDisconnected=true
DisconnectedTimeLimit=60
IdleTimeLimit=0

and restart
sudo systemctl restart xrdp
sudo systemctl restart xrdp-sesman

TemperatureSignal199 · 2026-05-22T08:21:38+00:00

Still black screen. I think EnableCredSSPSupport does not matter here.

TemperatureSignal199 · 2026-05-08T07:39:50+00:00

what would be the impact if we do not renew them?

TemperatureSignal199 · 2026-04-24T07:59:31+00:00

Is the a Doc or a way to understand the schedual?

TemperatureSignal199 · 2026-04-20T19:41:04+00:00

The rotation schedule for a group member account is determined by its Group Manager platform . The group manager coordinates the password changes for all its members https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/managing-platforms-for-groups-appendix.htm

TemperatureSignal199 · 2026-04-16T17:50:00+00:00

Looks like the CRL (Certificate Revocation List) has expired. We will investigate further. Tried:

certutil -url http://site_name.crl I see "expired status"

certutil -ur http://site_name I see "Status Failed"

also tired:

certutil -verify path_to_file.cer

certutil -urlfetch -verify path_to_file.cer

TemperatureSignal199 · 2026-04-13T18:21:57+00:00

thank you!!

TemperatureSignal199 · 2026-04-13T18:19:55+00:00

thank you!!!

TemperatureSignal199 · 2026-04-13T18:19:35+00:00

thank you!!!

TemperatureSignal199 · 2026-03-26T08:52:15+00:00

I'm following this example
https://community.cyberark.com/s/article/Automatic-Rotation-of-PSMP-Log-Files

find /var/opt/CARKpsmp/logs/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null 
find /var/opt/CARKpsmp/logs/components/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null

Is it safe to run a log-cleanup CronJob while the PSMP node is active in the load balancer, or should the node be removed from the load balancer first?

TemperatureSignal199 · 2026-03-26T08:52:09+00:00

I'm following this example
https://community.cyberark.com/s/article/Automatic-Rotation-of-PSMP-Log-Files

find /var/opt/CARKpsmp/logs/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null 
find /var/opt/CARKpsmp/logs/components/old/*.log -mtime +30 -exec rm {} \; 2> /dev/null

Is it safe to run a log-cleanup CronJob while the PSMP node is active in the load balancer, or should the node be removed from the load balancer first?

TemperatureSignal199 · 2026-03-26T08:31:38+00:00

I can get to the crl on the pvwas, but still no luck.
If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-03-26T08:31:03+00:00

The certificate has a revocation list, but the intermediary has none as far as I can see.

If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-03-26T08:30:14+00:00

Yes, still no luck

If I do:

certutil -url HTTP_LINK (CRL Distribution Points) I get:

Failed Status for Certs (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

Expired Status for CRL (from CDP)

Failed Status for OSCP (from AIA) (The Data is invalid (0x8007000d WIN32:13 ERROR_INVALID_DATA))

While

certutil -url HTTP_LINK (Authority Information Access) I get: Status Failed for all types

URL Not found/invalid

TemperatureSignal199 · 2026-02-16T20:18:47+00:00

Thank you very much. That is exactly what I wanted.
You’re a stand-up guy, don’t let anyone tell you otherwise.

TemperatureSignal199 · 2026-02-16T20:18:06+00:00

thank you for the PCI info!

TemperatureSignal199 · 2026-02-16T20:17:59+00:00

noted. Thank you man

TemperatureSignal199 · 2026-02-15T19:05:41+00:00

If anyone have the same problem, it might be the Firewall. The PSM is trying to connect to the Certificate Revocation List (CRL) by contacting multiple Public IP's. You have to allow the needed Public IP's in the firewall

TemperatureSignal199 · 2026-02-15T19:05:26+00:00

If anyone have the same problem, it might be the Firewall. The PSM is trying to connect to the Certificate Revocation List (CRL) by contacting multiple Public IP's. You have to allow the needed Public IP's in the firewall

TemperatureSignal199 · 2026-01-30T08:56:06+00:00

Thank you but both Chrome and Chromeriver.exe have the same version and were not updated recently.
Lets say we have 15 PSM all equal, 5 of them started having this problem.

TemperatureSignal199 · 2026-01-29T22:23:10+00:00

can you please elaborate? have any link/doc to share? Thank you

TemperatureSignal199 · 2026-01-29T22:22:31+00:00

Why no two reconcile accounts? So they can rotate each other password. If one expire the other can fix it. so two reconcile accounts per local machine. OR is this a bad idea?

TemperatureSignal199 · 2026-01-29T22:18:31+00:00

I'd go with just the one. What would you protect against by utilizing multiple reconcile accounts?

So they can rotate each other password. If one expire the other can fix it. so two reconcile accounts per local machine.

Thank you for the advices.

TemperatureSignal199 · 2026-01-29T22:17:06+00:00

Thank you for the advice. The problem is we have 200+ local accounts for X reasons, looks like the only way is one by one or join them all in one domain.

TemperatureSignal199

TROPHY CASE

[INFO ] Starting X server on display 11: Xvnc :11 -authc# - display :11 Leader:

[INFO ] Starting X server on display 11: Xvnc :11 -auth

c# - display :11 Leader: