Unable to authenticate a remote control session with an AD group but can with individual AD users
Last Updated June 17, 2013
If one or more Active Directory (AD) groups are defined in the pcAnywhere Settings policy under the Authentication tab, and the user specified for remote control authentication belongs to the group(s), the authentication fails. When the same AD user account is directly added to the pcAnywhere Settings policy, remote control authentication succeeds.
The remote control attempt may not show any error, but instead the window may simply close.
One cause may be a recursive loop in the authentication process, caused by the presence of one AD group as a member of another, while both are listed in the pcAnywhere Settings policy.
For example, let's say that the pcAnywhere Settings policy lists both the "Domain Admins" group and the "Domain Workstation Admins" group. In AD, the "Domain Admins" group is a member of the "Domain Workstation Admins" group. pcAnywhere fails to authenticate a user who belongs to either of these groups because it goes into a recursive loop during the authentication process, and then the remote control attempt times out.
Update: A secondary situation has been identified which causes this issue. If a circular membership between AD groups is present, this will also cause pcAnywhere authentication to do a recursive loop while validating permissions. For example, ADgrp1 is the targeted grp in pcAnywhere settings policy for authentication. ADgrp1 is a member of ADGrp2; ADgrp2 is a member of ADgrp3; ADGrp3 is a member of ADgrp1.
Possible workaround: Use QuickADSGroupAuth reg key on host. See TECH109926 for details.
Avoid adding multiple AD groups to the Authentication tab of the pcAnywhere Settings policy if possible.
Try to use a single AD group which contains all other groups and users who will be allowed to initiate remote control sessions.
If multiple AD groups are defined in a pcAnywhere Settings policy, verify that the groups are mutually exclusive such that they do not contain each other.
Update Solution: While the above recommendations/solution are still valid, an update is available as a download below. This update can be applied to the following versions: