10.9. Usernames in RDP connections

When processing RDP connections, PSM attempts to extract the username from the connection. For example, you need the username to:

  • Use gateway authentication for the connection. For details on gateway authentication, see Section 18.2, Configuring gateway authentication.

  • Use usermapping policies. In this case, PSM compares the username on the server with the username on the gateway. For details on usermapping policies and gateway authentication, see Procedure 18.1, Configuring usermapping policies and Section 18.2, Configuring gateway authentication, respectively.


    In certain cases, PSM receives an empty username from the server, and the connection will be denied by the usermapping policy unless a policy is set for the connection that allows every user for the given group. To add such a policy, specify * in the Username on the server field of the usermapping policy. For a list of cases when PSM receives empty username, see Section Windows settings that interfere with username extraction.

  • Search or filter connections by the username on the PSM search interface, or create automatic statistics based on the username.

  • Find the connection of the user on the Four Eyes and Active Connections pages.

  • Usernames are also essential if you want to use Privileged Account Analytics. If you are interested in Privileged Account Analytics, contact our Sales Team, or your Balabit representative.

PSM can record the username automatically if the RDP connection is using Network Level Authentication (CredSSP), and usually in other scenarios as well. If PSM cannot automatically extract the username, it displays the following login screen to the user (note that PSM can display this login screen only in TLS-encrypted connections).

The known scenarios that interfere with RDP usernames are listed in Section Windows settings that interfere with username extraction.

Figure 10.8. Server-side login in RDP

Server-side login in RDP

To ensure that your users can access the target servers only when their username is recorded, you can configure PSM to terminate RDP connections if it cannot reliably extract the username. To terminate such connections, clear the RDP Control > Settings > Permit unreliable usernames option.

Windows settings that interfere with username extraction

The following settings on the Windows client or server can prevent PSM from correctly extracting the username from the RDP connection. As a result, the username is not visible on the Search, Four Eyes and Active Connections pages.

  • The DontDisplayLastUserName option is enabled on the server. The DontDisplayLastUserName security setting of Windows servers specifies whether the username from the last successful login is displayed on the login screen as a default for the next login. To disable the DontDisplayLastUserName security setting, do one of the following.

  • There is no server-side authentication. To avoid this problem, ensure that your server requires authentication from the users.

  • If the server is Windows 2003 Server or Windows XP and the Allow to save credentials or Remember my credentials options are enabled in the Remote Desktop client application. In this case, disable these options on the client, and delete any credentials that have already been saved on the client.