Privileged Account Manager 3.6 Patch Update 1 Release Notes

June 2019

NetIQ Privileged Account Manager 3.6 P1 resolves several previous issues.

Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Privileged Account Manager Community Support Forum, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click the comment icon on any page in the HTML version of the documentation posted at the Privileged Account Manager Documentation website. To download this product, see the Micro Focus Downloads website.

1.0 Software Fixes

Privileged Account Manager 3.6 P1 includes software fixes that resolve the following issues:

1.1 Agent Crashes with Access Violation Error

Privileged Account Manager 3.6 P1 resolves the random agent crash issue observed on multiple Windows servers.(Bug 1129917)

1.2 Error When Launching Application SSO with Session Capture Turned off on RemoteApp

Privileged access to applications are monitored and session capture is now supported for application SSO policy on remoteApp.(Bug 1106942)

1.3 Direct Access Mode Sessions are Misplaced in the User Console

Issue Direct access mode sessions are misplaced within Access > Sessions in the user interface.

Fix: Direct access mode of privileged SSO sessions is now shown separately in the user console so that the users get a view of what applications to use with privileged access. Users can use this functionality only through direct RDP or RDP relay and they cannot launch it from the user interface.(Bug 1123614)

1.4 Application SSO Fails when You Enable Secondary Authentication in the Rule

Application SSO for remoteApp now supports secondary authentication.(Bug 1121836)

1.5 RemoteApp Application Spans across the Monitors when Multiple Monitors are Connected

Even when you connect multiple monitors to the machine, the RDP session now opens only in the primary monitor by default. User has to select the Enable Multiple Monitor option before starting the multiple monitor session.(Bug 1107532)

1.6 Application SSO in RemoteApp Mode Fails when you modify Run Host to Host Group in the Rule

Run Host is now non-editable in the application SSO rule and is always set to All Hosts. Run host is set to All hosts because Privileged Account Manager automatically does load balancing and starts the session in one of the Application SSO module servers for remoteApp.(Bug 1107528)

1.7 Application SSO is not Authorized When You Disable it in the Parent Rule

Now it is not necessary to enable application SSO option in all the rules in the nested rule. Application SSO is authorized even when the appropriate child rule alone has the option enabled.(Bug 1105060)

1.8 RDP Resolution Options are not Available for both Single and Multi-Monitor RDP for Remote Application SSO Sessions

Privileged Account Manager now supports RDP resolution options for both single and multi-monitor RDP for remote application SSO sessions.(Bug 1137412)

1.9 Script Values are not Saved when you Create and Modify a Script

Adding a new script and changes to existing scripts are saved successfully.(Bug 1136967)

1.10 Changing the Password Results in the Script Connecting to the Active Directory Domain Name Instead of Host

While changing the password for Active Directory, the password management script now connects to the host of the Active Directory.(Bug 1137582)

1.11 Intermittent Windows Stop Error on the Windows Agent

This patch update provides a potential fix to address this error.(Bug 1132216)

1.12 The Linux Password Change Script does not Change the Password for the root User

The Linux password change script now changes the password of the root user even if root is the reconcile account.(Bug 1138515)

1.13 Video Conversion Fails Intermittently with an Error

Issue: Privileged Account Manager terminates video processing after a 10 minute timeout period. The retry of the action also fails because the intermittent file still exists.

Fix: This patch update deletes the intermittent WebM file before the retry.(Bug 1135861)

2.0 System Requirements

For information about hardware requirements, supported operating systems, and browsers, see Privileged Account Manager 3.6 System Requirements.

3.0 Upgrading Privileged Account Manager

You can upgrade to Privileged Account Manager only from version 3.6. For information about upgrading Privileged Account Manager, see Upgrading Privileged Account Manager.

NOTE:Privileged Account Manager does not monitor active Windows sessions during this patch update. So, ensure that there are no active sessions when installing this patch update.

4.0 Updated Modules

This version of Privileged Account Manager 3.6 P1 updates the following modules:

  • Access control <myaccess>

  • Remote execution for the command control agent <rexec>

  • Command control manager module <cmdctrl>

  • Administration interface <admin>

  • Framework package <spf>

  • Provides secure management for privileged credentials <prvcrdvlt>

  • Command control console module <cmdctrl>

  • Scheduling and managing tasks <taskmanager>

5.0 Known Issues

Micro Focus strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

5.1 Privileged Single Sign-on to Microsoft Edge is not Supported

Workaround: Use any supported browser other than Microsoft Edge. (Bug 1079379)

5.2 Secure Shell Java Terminal Displays Random Characters Instead of the Typed Characters

Issue: SSH Java terminal displays random characters instead of the typed characters on Java SSH relay connection to certain network switches. (Bug 1086870)

Workaround: Use alternative SSH clients such as command line SSH or PuTTY, or MobaXterm, instead of Java SSH.

5.3 Unable to Refresh Data In Access page While Using Internet Explorer 11

Issue: When you click Refresh in the Access page, the updated data is not displayed.(Bug 1095367)

Workaround: Click Refresh in Internet Explorer browser instead of Refresh in the Access page.

5.4 Time Zones Are Different In Reports and Keystrokes

Issue: For certain Linux and Unix sessions, the time zone for Start Time is different in the Reports and Keystrokes. (Bug 1041802)

Workaround: There is no workaround at this time.

5.5 All Registered Agents become Unregistered after License is added to Privileged Account Manager

Workaround: Install PAM License immediately after deploying PAM manager. If license is added later, re-register the agents after you add a new license. (Bug 1100050)

5.6 Audit Videos do not Play in Microsoft Edge

Workaround: Use any of the other supported browsers to view Audit videos. (Bug 1037322)

5.7 PAM User Console cannot be Custom Branded

Workaround: There is no workaround at this time.(Bug 1094124)

5.8 Unable to Log into PAM Console by Using Firefox Quantum and Edge browser, When Secondary Authentication is Enabled for Biometric Devices

Issue: When you use Privileged Account Manager in Microsoft Edge or Firefox Quantum, after you install AAF 6.0, you are unable to enroll biometric devices. (Bug 1097960)

Workaround: There is no workaround for Firefox Quantum at this time. For the workaround while using Microsoft Edge, see the Privileged Account Manager 3.6 System Requirements.

5.9 Newly Created Reports are not Listed Under My Reports in Internet Explorer 11 Browser

Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Privileged Account Manager 3.6 System Requirements. (Bug 1100985)

5.10 New sessions are not Updated in Session Table in Internet Explorer 11 browser

Use browsers other than Internet Explorer 11. To view the list of supported browsers, see the Privileged Account Manager 3.6 System Requirements. (Bug 1100970)

5.11 Moving Multiple Objects Does Not Work

Issue: Selecting and moving multiple objects by using the Shift/ Ctrl key does not work. (Bug 915307)

Workaround: There is no workaround at this time.

5.12 The Run as privileged user Option Is Not Displayed on a Windows 2012 Server Start Menu

Issue: When you right-click Start menu on a Windows 2012 server, the Run as privileged user option does not get displayed. (Bug 901032)

Workaround: To workaround this issue, right-click the application in the folder where the application is installed to execute Run as privileged user.

5.13 The Command Control Objects Are Not Displayed When Large Number of Objects Are Added Simultaneously

Issue: When Command Control Objects are added simultaneously in large numbers, the objects do not appear in the console. This is an intermittent behavior. (Bug 908307)

Workaround: There is no workaround at this time.

5.14 The Unregistered Hosts List Is Not Working

Issue: In the administration console, when you search for unregistered hosts by clicking Hosts > List Unregistered Hosts > IP Range, the Failed to list unregistered agents error is displayed. (Bug 832747,790444, 1104360)

Workaround: Ensure that when you install Agents, you register it with the Manager for Privileged Account Manager. However, there is no workaround to register multiple unregistered hosts at the same time.

5.15 The Changes to the Syslog Settings Do Not Get Applied

Issue: In the Reporting console of Privileged Account Manager when you save the changes to syslog settings, such as select SSL, or Allow Persistent Connections, the changes are not applied. (Bug 895993)

Workaround: To workaround this issue, restart Privileged Account Manager.

5.16 RDP Relay Does Not Work When Network Level Authentication Is Enabled

Issue: RDP Relay fails with the error The remote computer requires Network Level Authentication, which your computer does not support. when Network Level Authentication (NLA) is enabled on the host. (Bug 774061)

Workaround: Perform the following to disable NLA on the remote desktop session host:

  1. Click Control Panel > System > Remote Settings.

  2. Deselect Allow connections only from computers running Remote Desktop with Network Level Authentication and click OK.

For more information about using PAM application SSO where NLA can be enabled, see the Knowledge Base Article 7020137

5.17 NPAM Service Commands Do Not Work In SUSE Linux Enterprise Server 12 or Later

Issue: The NPAM service commands such as start, stop, restart, and status do not work in SUSE Linux Enterprise Server 12 or later. (Bug 1041284)

Workaround: To workaround this issue, perform ONE of the following:

  • Kill and restart the NPAM process using the following command:

    pkill unifid

    /etc/init.d/npum start

  • Reboot the system using the following command:



    shutdown -r now

After performing one of the preceding steps, you can verify the NPAM process running status by executing the following command:

/etc/init.d/npum status

5.18 Cannot Launch SSH Relay Session from User Console in FIPS mode

Workaround: Launch SSH relay session using any other standard SSH clients.(Bug 1109771)

6.0 Contacting Micro Focus

For specific product issues, contact Micro Focus Support at

Additional technical information or advice is available from several sources: