Configure Windows Transparent Login

Provisioning Windows transparent login on and through has these stages:

capam33

Provisioning Windows transparent login on and through Privileged Access Manager has these stages:

Preparing Target Device records, including an RDP server hosting an RDP Application

Running the Learn Tool at the RDP server in coordination (through the RDP Access Method applet) with Privileged Access Manager

Configuring the RDP Application record on Privileged Access Manager

Provisioning Target Account records and Privileged Access Manager Policy

To run Learn Tool and edit transparent login configurations, a Privileged Access Manager administrator must have at minimum the role of Service Manager. This level of role permits the

servicesRead

servicesManage

, and

servicesDelete

privileges. Among the preconfigured roles, these privileges are also provided only to the Global Administrator and Operational Administrator roles.

Prepare Targets

Initially, as the Privileged Access Manager administrator, you provision a Device and the RDP Application that is the target (or intermediary) of the transparent login. You might also want to provision (in Credential Manager) the primary access credentials that are consumed during login to the Device. At this stage, you do not need to provision the secondary credentials that are consumed by the RDP Application.

Run Learn Mode

During Learn Mode, Privileged Access Manager is taught the credential-processing interfaces of the provisioned RDP Application. This process captures the required sequence in a transparent login configuration file that is stored at Privileged Access Manager.

Example Procedure

This example procedure uses the execution of a connection to a Linux target device using the RDP Application PuTTY.

Confirm that you have provisioned in Privileged Access Manager your desired target Device. Confirm that the target RDP Application, that is configured later in Privileged Access Manager, is installed on that Device.

If needed, log in to Privileged Access Manager as the administrator responsible for Learn Mode.

Navigate to the Access
page.

Mouse over the RDP
link to the target Device so that (after a moment) it displays the RDP options pop-up window.

While in that panel:

Select the option Learn mode
.

You might also want to expand the size of your RDP window in Resolutions
to the largest practical value. Example: "Fullscreen" Learn Mode is easier to use when there is a large target desktop.

Select Launch
to initiate the RDP connection.

Your RDP applet and connection launch.

Following login, a script window appears telling you that the Learn Mode Tool ("Transparent Login Learn Tool") is launching. The initial Learn Tool window opens. If transparent login configurations are already set up, they are shown in the drop box near the upper left corner of the Learn Tool.

With the Learn Tool, you can create a configuration script that allows Privileged Access Manager to recognize the username, password, submit, and other widgets of an RDP Application when your Users connect to that application. This script also populates and executes these widgets for transparent login.

Initially, several configurations (Transparent Login Configurations, or TLCs) can be pre-populated in Privileged Access Manager. As the Learn Tool is launched, these configurations are loaded into Learn Tool memory and are available from the configuration name drop-down list.

In this example, we create a configuration. First, assign it a name, in this example PuTTY-to-LinuxTarget1. This name is found in the Transparent Login Configurations
list on Privileged Access Manager. You can edit the name in the Name
field when you prepare your RDP Application record.

Select the "Add new configuration" button, and in the dialog window enter a Name
, and select OK
.

The configuration name now appears in the field to the left of that button, and is immediately saved.

To save the (currently empty) configuration in Privileged Access Manager with this name, select the "Save configuration" button.

Open your target RDP application; a configuration interface is ordinarily presented (the PuTTY Configuration
window).

While both the Learn Tool and the application are open during this procedure, you populate the Learn Tool script window (the body of its GUI). You identify widgets on the target application using one of several Learn Tool widgets that are detailed in the following tables. Each use of a scripting widget inserts a script command.

When executing PuTTY using its GUI, the simplest procedure might be to specify a target address, then execute a connection using PuTTY default parameters. Then automatically submit the username and password to affect a login:

First, identify for the Learn Tool the location of the PuTTY Session screen, Host Name (or IP address)
field. When the script is run, Privileged Access Manager knows where to insert that address.

To create the script command that provides this functionality, select the "Text input" tool. Like each of the other Learn Tool scripting controls, this tool invokes an Add Edit Tag
dialog window. Specify parameters to identify and populate this command in this window.

The first field is the Element type
. In this case, select the default "Text Field", which is the type of control widget that PuTTY Host Name (or IP address)
is. (The other choices are "Drop Down List", "Checkbox", "Radio Button", and "Keystrokes"). To identify where this field is, provide the Element ID
. The first step is to invoke the application AutoIt Control Viewer (v. 1.1) from the Learn Tool menu:

Select the "Run Control Viewer" button from the Learn Tool menu bar. You might briefly see a script window, and then in a minute or so the Control Viewer
window appears. Now you have three windows. The Learn Tool window is resizable.

In the Control Viewer window, press and hold your mouse over the Browse Tool
square area to the upper right. A magnifying glass icon appears, which is your control selection cursor.

While you hold your mouse down, move this cursor over to the location of the widget (GUI field, or control) that you want to identify.

As you move the cursor, the control of the target application that is under the cursor displays a red outline. Depending on how the application (PuTTY) was designed, the red outline might refer to a single control or a group of controls.

If the specific
control (here, the host name field) is already outlined in red, you would now skip the remainder of this step 10.

However, a group of controls is selected, and you have not yet been able to identify the Host Name (or IP address)
field itself.

Look at the additional characteristics for this specific control that is highlighted in the blue item in the Controls
list at the bottom of the Control Viewer window. This list also identifies any subordinate controls that are contained by that control. In this case, we want to identify the specific host name control.

Scroll that list to select the other controls in the list, one by one, until you match the one you are searching for. When the selected control is outlined, note (under the Control
tab in the central Info
group) what its full Instance
name (5) is: here, "[CLASS:Edit; INSTANCE:1]".

You have now identified the exact field that Privileged Access Manager must populate. Finish using the Learn Tool Add
Edit Tag
window that you opened in step 8:

Select the entire Instance
name (from open bracket to close bracket, inclusive), and copy it in the Element Id
field.

In the Value type
field, select the "text" option. The other two options are "username" and "password." These options refer to data that is supplied by Privileged Access Manager during execution, and not embedded in the script.

In the Value
field, enter the IP address that you use to populate that PuTTY field. Alternatively, you can specify a variable hostname by using
*Value type
="host" (which has a fixed Value
="true"). In that case, the Device that is associated with the secondary Target Account that is specified in policy is used. See also Element type
='Keystrokes' in step 14, in which a Target Account is also used to populate username and password.

Select OK
to insert the populated script command. The command appears in the script body. Alternatively, you can specify a variable hostname by using
*Value type
="host" (which has a fixed Value
="true"). In that case, the Device that is associated with the secondary Target Account that is specified in policy is used. See also Element type
='Keystrokes' in step 14, in which a Target Account is also used to populate username and password.

The second element in the PuTTY Configuration window you identify is the Open
button (on the same screen), which is used to execute the connection:

Use the Control Viewer procedure of step 10 to identify the Element ID
for this button.

Once you have that ID, open the "Mouse click" tool because that is how this PuTTY control is used. The Add
Mouse Click Tag
popup window appears.

We are using the first option, Click on the element
. The other option allows to you specify a specific pixel location for the mouse click. Enter the Element ID value that you identified in step 12a into the ID
field.

Select OK
to insert the populated script command. The command appears underneath the first command you entered.

You have now specified the two elements that provide PuTTY a destination.

However, the point of the transparent login feature is to insert Privileged Access Manager-supplied credentials transparently. Although the PuTTY application closes its configuration window and opens a console for execution of the SSH connection, create a script to provide those credentials. Select the "Save configuration" button to save the current configuration. Then, select the "Add new configuration" button to create another configuration for PuTTY login credentials.

PuTTY opens its console and communicates with the target Linux Device. Doing this might take some time, and we can account for it in the script.

Select the "Sleep" clock icon to open a new widget in which you enter a number of milliseconds. As a rough estimate, you might provide 1000, which allows PuTTY to open and close its windows and be ready with the prompt it receives from its target device.

Now you can assume that your console window is ready with the first of its login prompts from the target, for the username. The Learn Tool allows you to enter a script command that recognizes the Target Account Name:

Select the "Text input" again. Set up the Add Edit Tag
as shown, with Element type
="Keystrokes" (and then Element ID
="window" by default) and Value type
="username".

Select OK
. The script command that is created grabs the Account Name from the Target Account that is provided by Privileged Access Manager through your Policy specification. The command then passes it along to the PuTTY target.

However, to submit
the username to the OS then, you have to send a return command. That is, the Enter
key: Use the "Text input" tool as in the previous step. This time set Value type
="text", and for Value
, click your mouse inside its field and press the Enter
key. The field then displays the text

{ENTER}

. Select OK
to insert this tag.

Likewise, use the "Text input" tool to set a second command with Value type
="password". Remember before entering that command to insert another "wait" command using the "Sleep" tool as already explained. You might need to experiment for the most efficient wait times.

Save this TLC by selecting the (now-active) Save configuration
floppy disk icon near the right side.

Now you are ready with your script. However, you might want first to test it to see that it performs as expected. Privileged Access Manager provides this capability with the "Debug" tool.

(Optional) To test your configuration, run the Debug tool. This feature executes the currently staged TLC script while displaying debug-level messages in a console.

Select the "Debug" tool button to open the Run dialog
window.

In the App path
field, use the browse […]
button to the right to specify the location of the RDP Application executable.

Enter the Title
of the first window, so that Debug can locate it.

When credentials and destination must be supplied to execute script processing fully, enter them in Username
, Password
, and Host
.

When you are ready to run the debug program, select Run
.

The Debug console appears.

The Debug program first checks each tag for syntax errors, providing feedback in the console, under an initial "App #1" line label.

When you bring RDP Application window (manually) into focus, the Debug program then executes the script. The sequence is labeled ("Try #1"), and then feedback is provided for each tag. If a tag fails to execute successfully, the script is restarted and executes again.

(Optional) To improve security in confirming your target application, generate, and copy the SHA-1 digest for the RDP Application. Use the Learn Tool's Get Application Fingerprint
feature. When configuring the RDP Application in Privileged Access Manager, copy this value into the Application Fingerprint
field.

Continue with Configure RDP Application.

Reference

The following tables describe the Learn Tool features.

Learn Tool: Menu Bar

Menu		Description
View	Always on Top	When selected, this feature keeps the Learn Tool window in front of all other windows, even when it is not in focus. The selection state is persistent: After logging off this Device and then logging in again, the option value (whether selected or unselected) remains the same. Default: Selected
Action	Clear cache	Select to remove currently cached applications. When cache is set to "Enable" in Global Settings , Applet Customization , Transparent Login Cache , the Windows target caches the Transparent Login Agent (TLA), Learn Tool, and Control Viewer that are downloaded during connection from `Privileged Access Manager` when transparent login has been configured, provisioned, and activated. On subsequent connections to that Windows target, the load times for these applications are reduced.
Help	Learn Tool Help	Opens the Compiled HTML (CHM) Learn Tool Help file, which contains detailed descriptions of the Learn Tool controls.
Help	About	Identifies the Learn Tool application and build versions in a dialog window.

Learn Tool: XML Scripting Controls

Icon and Tooltip		Description
		One set of <window></window> tags brackets a single-level sequence of XML commands for `Privileged Access Manager` to manipulate the windows of an RDP Application. Each script control inserts a line containing one XML tag with attributes at the end of the sequence, above the </window> tag. You can copy-and-paste the XML tag lines as in a text editing program, so you can move the lines when and where needed.
Camera icon	Screen verification	Allows insertion of a tag that verifies that a portion of the screen image of the transparent login application matches a previously saved screen capture. Usage After selection, the mouse cursor becomes a cross hair, while the full screen area of the RDP window dims and becomes an active grid. Meanwhile, the Learn Tool window is hidden from the desktop so that it does not interfere with screen capture. Use the cross-hair cursor to define a rectangle indicating a portion of the RDP Application GUI to be compared to the same GUI during runtime. After mouse-up from the cursor, the dialog window Screen Capture Preview displays the comparison Screen capture and the Generated XML Tag to be inserted as PNG. Select OK to insert this tag and show the Learn Tool window again. Note: Ensure that the captured image portion does not vary from application invocation to invocation, and matches whether the window is active or inactive.
		Example: (truncated): <checkimg content="iVBORuu ... C6kYII=" />
Clock icon	Sleep	Allows insertion of a tag that pauses the script for a configurable number of milliseconds. Usage: Upon selection, opens the Add Sleep Time Tag pop-up window to specify the milliseconds, then inserts the tag at the end of the script.
		Example: <sleep time="500" />
Keyboard void icon	Freeze Input	Allows insertion of a tag that disables user input (keyboard and mouse events) while a Transparent Login script is running. Freeze Input can prevent re-injection of the user password when using multiple browser tabs. This example freezes user input for 10 seconds. Note: Place this statement at the beginning of your script.
		Example: <inputfreeze action="enable"/> <sleep time="10000"/> <inputfreeze action="disable"/>
Duplicate windows icon	Activate window	Allows insertion of a tag that places the named window into focus. Usage: Upon selection, inserts this tag at the end of the script.
		Example: <activate />
Mouse icon	Mouse click	Allows insertion of a <click> tag, which affects a mouse-click at a specified location: on a specified button as identified using the Control Viewer; or at the center of the target window; or at a location specified "x" pixels from the left and "y" pixels from the top of the target window.
		Example: button: <click id="[CLASS:TEdit; INSTANCE:2]" /> Example: window center: <click pos="center" /> Example: location: <click x="123" y="72" />

Icon and Tooltip		Description
Page with pencil	Text input	Allows insertion of a tag that submits one of these data types: Edits a specified control (field, drop-down list, checkbox, radio button) so that it contains specified data (text, sequence value, Boolean value). Sends a text string, which is composed of literal values, key stroke shortcuts or labels, or parameters provided by `Privileged Access Manager` such as username or password.
		Element type	Element ID	Value type	Value
		"Text Field"	as determined through Control Viewer – see example in procedure	"text"	String, to populate the field
		"Text Field"		"username", or "password", or "host"	"true": For the specified Value Type, TLA sends the Value that is attached to the User policy through the target account record.
		"Combobox"		"text"	String, matching a (drop-down) list option
		"Combobox"		"index"	Integer, as specified to select the ordinal location of a (drop-down) list option
		"Keystrokes"	"window" (or none)	"text"	As specified: (a) strings, and (b) key stroke tags: (i) entered into the dialog field by typing merely the named key: • includes: .ENTER,.ESCAPE, TAB. • appear as: {ENTER}, {ESCAPE}, {TAB} • only one is permitted per XML tag. (ii) entered by typing the key sequence: for example: {F1} entered by typing the four keys: .{+ .F + 1 +} +
		"Keystrokes"	"window" (or none)	"username", or "password", or "host"	"true": For the specified Value Type, TLA sends the Value in the Target Account that is chosen for the RDP Application that is specified in `Privileged Access Manager` policy.
		Element type	Element ID		Checked
		"Checkbox"	As determined through Control Viewer		"True" or "False"
		"Radio Button"	As determined through Control Viewer		"True"
		Example: (using "Text Field", "text" options in dialog): The following tag inserts the text string "123" (without quotes) into the ID-specified text field: <edit id="[CLASS:TEdit; INSTANCE:1]" text="123" />
Checkmark icon	Element Verification	Allows insertion of a tag that confirms or denies existence of an element. Optionally verifies that element in a specified state (for example, a text field containing a particular string).
		Element types: Text field \| Combobox \| Checkbox \| Radio Button Element ID: Code identification of GUI feature that is obtained through Control Viewer. Value: Literal. Ranges: Checkbox and Radio Button: (only) "checked" Example: The following tag verifies that the radio button that is identified has been selected: <verify component="radiobutton" id="[CLASS:TRadioButton; INSTANCE:3]" /> If the component is not confirmed, the TLC script halts.

Learn Tool: Utilities

Icon and Tooltip		Description
Page with magnifying glass	Run Control Viewer	Runs the third-party, Learn Tool bundled application, AutoIt Control Viewer version 1.1. This application can be used to determine the Element ID when needed in a script command. (No other Control Viewer functions are needed for `Privileged Access Manager` use.) Usage: (to identify a control or widget): See example in steps 9-10 of the procedure. Usage: (to identify a window name): To populate the <window id= ""> XML tag (top line of the TLC): From the Control Viewer window in the Browse Toolbox in the upper right, click your mouse and hold it down to show the magnifying glass cursor. While holding your mouse down, drag the cursor so that it is over your RDP Application window title bar, then let your mouse up. In the Control Viewer Info panel, Window tab, Class row, copy the text from its field. For example, for PuTTY, Control Viewer might display "PuTTYConfigBox". Paste the text from that field into the following string: [CLASS:WindowID; INSTANCE:1] substituting "WindowID" with your actual value. Paste the entire revised string between the quotation marks into the <window id="" /> tag on the first line of your TLC. Example: <window id="[CLASS:PuTTYConfigBox; INSTANCE:1]" />
Fingerprint	Get Application Fingerprint	Calculates and displays an application fingerprint for an RDP Application so that it can be used during transparent login attempts. Usage Select this button to open the Get Application Fingerprint dialog window. Select the path location of the application executable and a fingerprint string is generated and populated into the Application Fingerprint field. Copy the full text string into the Ctrl-C buffer or a text file. Paste the fingerprint to the corresponding Application Fingerprint field of a `Privileged Access Manager` RDP Application record. When `Privileged Access Manager` makes a transparent login attempt, it first checks this stored fingerprint against one generated for the RDP Application discovered on the target RDP server (Windows Device). If the fingerprints do not match, the attempt is canceled.
Play icon	Debug	Runs the TLC script currently staged in the Transparent Login Configuration panel (the main body of the window). Usage: See example in step 17 of the previous procedure.

Learn Tool: File Controls

Icon and Tooltip		Description
Drop-down list	Filter by name / (configuration name)	Displays the name of the configuration staged in the Transparent Login Configuration field (the 'body' of the window).
	(configuration list)	This drop-down list lists transparent login configurations, either: (a) all staged in the Learn Tool (b) filtered by name (string) entered When the Learn Tool is launched following an RDP connection, these configurations are copied from the full set that is managed in `Privileged Access Manager` Services, RDP Applications, Transparent Login Configurations. The initial set of configurations can include several configuration samples (for example, for PuTTY or WinSCP) corresponding to recent versions of those applications.
Page with plus sign	Add new configuration	Opens a dialog window into which you can enter the name for a new configuration. Upon selecting OK, the Learn Tool body is cleared (to <window> tags), a new config file is created on `Privileged Access Manager` with that name, and the name is loaded into the drop-down field. Upon creation of new XML tags, the name is marked with a preceding asterisk, indicating unsaved changes.
Duplicate pages	Copy configuration	While a configuration file is staged, this button opens a dialog window into which you can enter the name for a new configuration. The content of the first configuration is then copied into the new configuration so it appears in the Learn Tool GUI as if only the name has changed. You can then edit and save to that new file.
Page with X	Remove configuration	Opens a dialog window for confirmation. Upon selection, removes the currently staged configuration from the Learn Tool and the file from `Privileged Access Manager`.
Inactive - gray floppy disk Active - blue floppy disks	Save configuration	When active, saves the currently displayed configuration to `Privileged Access Manager`.
Inactive - gray floppy disks Active - blue floppy disks	Save all changes	When active, saves all configurations that are staged in the Learn Tool drop-down (that differ from currently saved versions) to `Privileged Access Manager`.
Cycle arrow	Refresh all	Loads all currently saved `Privileged Access Manager` TLCs into Learn Tool. If there are unsaved configurations in the Learn Tool, they are erased.

Configure an RDP Application

After using Learn Mode, you have a transparent login configuration in Privileged Access Manager that you can apply to the RDP Application you are targeting.

Follow these steps
:

Navigate to Services, Transparent Login Configurations.

Here you can confirm that the configuration you created with the Learn Tool is now available for use.

Select the line item for your configuration, and confirm that it is as created in the Learn Tool.

Alternatively, you can create a configuration file from scratch by selecting the Add
button to open a blank template and populate it. Configuration files are not dependent on creation with the Learn Tool.

Return to Services, Manage RDP Applications.

Select the Add
button to open a blank template.

Enter an RDP App Name
that is helpful to your Users when they access the link from their Access pages.

In Launch Path
, provide the Windows pathname for the local target drive location of the application.

(Optional) - Select
Hide From User
. Select this option if you want a user to access the RDP applications in an RDP access method, but not allow the user individual access to the RDP application.

On the Transparent Login
tab, select the Transparent Login
box.

(Optional) In the Application Fingerprint
field, paste the SHA-1 digest you generated while using the Learn Tool.

Select OK
. A new line identifies the window of this RDP Application that is used to execute a transparent login. After Privileged Access Manager identifies the title of the designated window, it executes the associated configuration to perform transparent login, or other behavior requiring credentials supplied by Privileged Access Manager.

Enter the Window Title
that is displayed in the RDP Application GUI.

From a drop-down list of currently managed transparent login configuration files (see Step 2), select an appropriate configuration in the Transparent Login Configuration
field.

If you want this configuration to be available to the User during any RDP session (with access to the Windows Desktop) to this target Device, and not exclusively during a session to this RDP Application, select the RDP Session
checkbox. When the User connects to an RDP server, the Transparent Login agent is loaded and runs in the background. Once the configured RDP Application is launched, the Transparent Login agent detects it and automatically fills out the necessary information to proceed. Enable this option if you are using Hide From User in step 7.

You can create more line items using Add Window
if you want to assign more transparent login configurations using this RDP Application. (For example, using PuTTY, you might specify alternate targets or a different login parameter.)

Select Save
.

Edit the Privileged Access Manager Device record for the Windows RDP server so that it uses this RDP Application, now listed under Services
.

Continue with Activate Policy.

Activate Policy

When you associate a Transparent Login RDP Application Service with a Privileged Access Manager Policy, specify target accounts for use by the Transparent login Agent on the target device. These target accounts are referred to as Transparent Login Credentials. They are the credentials that are used to fill in the "username" and "password" attributes in the Transparent Login scripts generated by the Learn Tool. They are associated with the Transparent RDP application.

Follow these steps:

Ensure that the Transparent Login RDP Application is associated with the correct Target Device. Follow the steps to associate a Service with a Device.

Navigate to Policies, Manage Policies. Select the Add button to create a new policy or Update to add the Transparent Login RDP Application service to an existing policy.

Enable Transparent Login for this policy. Select the Enabled checkbox on the Transparent login tab.

Select the Services tab.

Locate the Transparent Login RDP Application Service under Available Services and select the service. Use the right-arrow icon to move the service to the Selected Services area.

Select the login target account for auto login into the policy Device. Select the gray magnifying glass icon undert the Target Account column.

When you select a Transparent Login RDP Application service, the bottom half of the tab populates with the details about the service. If you do not require Transparent Login Credentials for this service, select OK to save the policy.

Select the magnifying glass icon next to Transparent Login Credentials on the bottom right of the tab.

Select the accounts that you want to make available for use with the selected Transparent Login RDP Application Service. Select OK. These are the accounts that the Transparent Login agent offers for use when the end user accesses a Transparent Login application through the Access page.

Caching

Depending on your security needs, and after using the Learn Tool and testing transparent login configurations, you might enable the Transparent Login Cache. This feature caches the Learn Tool (when used), the Transparent Login Agent, and the Control Viewer (when Learn Tool is used) on the RDP server. They do not need to be loaded onto a temporary local drive during each login at that Device, thus reducing application startup time.

Configuration

To turn on caching, set Global Settings
, Applet Customization
, Transparent Login Cache
= "Enable" .

Usage

During login at a particular target, you see confirmation of the caching storage in the RDP initialization console of each application cached.

User Experience

Script windows and the application interface are displayed briefly as the automation proceeds, and stops showing changes when the script completes.

Following selection of the RDP Application link PuTTY, the user sees this sequence following login at the RDP server host:

The console for the RDP session initialization appears.

The console for the transparent login agent (TLA) that is running on the local virtual drive appears.

The RDP Application (PuTTY) is invoked, and (in this case) a configuration GUI is auto-populated and activated by the transparent login script, eventually invoking a second interface (the PuTTY console).

The RDP Application (PuTTY) invokes a new window (the console interface), and is auto-populated by the continuing transparent login script. After the script completes, the console interface is ready for User access.

Auditing

You can use logs and session recording for auditing access attempts.

Logs

Privileged Access Manager logs each access attempt, for example:

2016-03-11 01:16:27 super login Win 2008 R2 (32-bit) Xsuite user transparently logged into RDP Application "putty.exe" to "PuTTY Configuration" window as "dev"

Session Recording

A session recording marks the location of the secondary transparent login attempt. For RDP connections to Windows, these attempts are marked in the Events
list and by a red arrow on the timeline. You can see event detail as a tooltip from the line item in the Events
list, and in the Info
box at the lower left and in a pop-up window during cross-over on the timeline.

For transparent login activity to be successfully recorded when the User has Internet Explorer, the administrator must configure all equivalent Privileged Access Manager addresses. Example: A cluster VIP name and VIP address in the browser security settings. See Set Up Session Recording.

Set Up Transparent Login for RDP Servers

CA Privileged Access Manager - 3.3.1

Configure Windows Transparent Login