Browser-Based Session Access¶
Section: Operations | Article 55
Audience: System Administrators, End Users
Last Updated: 2026-04-08
Overview¶
RP-PAM provides browser-based SSH and RDP sessions directly in the web portal. After your access request is approved, click Connect on the active grant to open a terminal (SSH) or remote desktop (RDP) in your browser tab. No PuTTY, mstsc.exe, or any client software is needed.
All session traffic routes through RP-PAM's proxy — your browser never connects directly to the target server. Credentials are injected by RP-PAM from the vault, so you never see or type the target password.
How It Works¶
Your Browser RP-PAM Server Target Server
| | |
| 1. Click "Connect" | |
|----------------------------->| |
| | 2. Retrieve credentials |
| | from vault |
| | |
| 3. WebSocket established | 4. SSH/RDP connection |
|<---------------------------->|<---------------------------->|
| | |
| 5. All traffic proxied | 5. All traffic proxied |
| and recorded | and recorded |
SSH Sessions¶
When you connect to an SSH resource, the portal opens an interactive terminal powered by xterm.js:
- Full terminal emulation: colours, tab completion, vi/nano, scrollback
- Copy/paste: Ctrl+C/Ctrl+V (subject to clipboard policy)
- Resize: terminal automatically fits the browser window
- Links: URLs in terminal output are clickable
The terminal theme matches RP-PAM's dark mode (charcoal background, silver text, red cursor).
Keyboard Shortcuts¶
| Shortcut | Action |
|---|---|
| Ctrl+C | Send interrupt (standard terminal behaviour) |
| Ctrl+V | Paste from clipboard (if policy allows) |
| Ctrl+Shift+C | Copy selection to clipboard |
| Right-click | Paste (alternative) |
RDP Sessions¶
When you connect to an RDP (Windows Remote Desktop) resource, the portal opens a full graphical desktop session:
- Full desktop: same experience as the native Remote Desktop client
- Keyboard and mouse: all input forwarded to the remote desktop
- Display scaling: adapts to your browser window size (max 1920x1080 by default)
- Clipboard: copy/paste between your workstation and the remote desktop (subject to policy)
- File transfer: upload/download files via the Guacamole file panel (subject to policy)
Resolution and Quality¶
The RDP session uses the resolution and colour depth configured by your administrator:
| Setting | Default | Configurable |
|---|---|---|
| Max width | 1920 px | Yes |
| Max height | 1080 px | Yes |
| Colour depth | 24-bit | Yes (8, 16, 24, 32) |
RDP Target Server Prerequisites¶
For browser-based RDP sessions to work, the target Windows servers must allow RP-PAM's managed accounts to log on via Remote Desktop. This is a one-time setup per target server or group of servers.
Option 1: Group Policy (Recommended for Multiple Servers)¶
Use Group Policy to add your RP-PAM resource groups to the local Remote Desktop Users group on all managed servers.
- Open Group Policy Management on your domain controller
- Create or edit a GPO linked to the OU containing your target servers
- Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
- Click Add Group and enter
Remote Desktop Users - Under Members of this group, add the AD security groups that RP-PAM assigns managed accounts to (e.g.,
Finance-Admins,IT-Admins) - Run
gpupdate /forceon the target servers or wait for the next Group Policy refresh
After this, any managed account added to one of these groups during access provisioning will automatically have RDP access to the target servers.
Option 2: Manual (Single Server)¶
On the target server, run as Administrator:
For example:
Authentication¶
RP-PAM uses Windows SSPI for RDP authentication, which negotiates Kerberos (AES-256) when available. The target server must have the TERMSRV/<hostname> SPN registered (this is automatic for domain-joined servers).
No legacy protocols (RC4, NTLM) are required for authentication. The RDP session is secured with: - NLA (Network Level Authentication) with CredSSP - TLS transport encryption - Kerberos AES-256 authentication (via SSPI Negotiate)
Network Requirements¶
The RP-PAM server must be able to reach the target server on: - TCP 3389 (RDP) from the RP-PAM server to the target - TCP 636 (LDAPS) from the RP-PAM server to the domain controller (for credential management)
The end user's browser only connects to the RP-PAM portal (TCP 7101) — it never connects directly to the target server.
Connecting to a Resource¶
Step 1 — Request Access¶
Navigate to Requests in the sidebar and submit an access request for the resource you need. Provide a justification if required by the policy.
Step 2 — Wait for Approval¶
If the policy requires approval, your request enters the approval workflow. You will be notified when it is approved or denied.
Step 3 — Click Connect¶
Once approved, the grant appears on your Dashboard under Active Grants. Click the Connect button to open the session.
The session opens in a new page within the portal. The session toolbar at the top shows: - Status badge: Connecting → Connected → Disconnected - Resource name: which resource you are connected to - Elapsed timer: how long you have been connected - Disconnect button: cleanly end the session
Step 4 — Work¶
Use the terminal or remote desktop as normal. Everything you do is proxied through RP-PAM.
Step 5 — Disconnect¶
Click Disconnect in the toolbar, or simply close the browser tab. The session is recorded and the recording is stored securely.
Session Policies¶
Your administrator may configure session policies that affect your experience:
| Policy | Options | What It Means |
|---|---|---|
| Clipboard | Allow all, paste-in only, copy-out only, disabled | Controls whether you can copy/paste between your workstation and the session |
| File transfer (RDP) | Allow all, upload only, download only, disabled | Controls whether you can transfer files via the Guacamole file panel |
| Session recording | Enabled / Disabled | Whether your session activity is recorded for audit |
| Max concurrent sessions | Configurable per policy | How many browser sessions you can have open simultaneously |
If a policy restricts clipboard or file transfer, the feature is silently disabled — you will not see an error, the data simply will not transfer.
Grant Expiry and Extensions¶
Active grants have a limited duration. As your grant approaches expiry:
| Time Remaining | Notification |
|---|---|
| 30 minutes | "Your access expires in 30 minutes" |
| 15 minutes | "Request an extension?" with an action button |
| 5 minutes | "Final warning — save your work" |
| At expiry | Session automatically terminated, grant revoked |
Requesting an Extension¶
If you need more time, click the extension link in the notification or navigate to your active grant and click Extend. You will be prompted for the additional time needed and a reason.
Extension requests enter the approval workflow: - During business hours (if auto-approve is allowed by policy): may be approved automatically - Outside business hours: always requires human approval - If denied: the original expiry time applies — save your work
Session Recording¶
If recording is enabled for the resource, RP-PAM captures:
| Session Type | What Is Recorded |
|---|---|
| SSH | All terminal input and output (text stream) |
| RDP | Screen updates and input events (Guacamole protocol format) |
Password redaction: Password prompts are automatically detected and redacted in recordings. When you type a password at a Password: prompt, the recording stores [PASSWORD REDACTED] instead of the actual characters. Your live session works normally — only the recording is sanitized.
Recordings are encrypted at rest (AES-256-GCM) and retained according to your organisation's policy (default: 90 days).
Idle Timeout¶
SSH sessions have an idle timeout (default: 30 minutes). If no keystrokes or output occur for this period, the session is automatically disconnected. RDP sessions do not have an RP-PAM-level idle timeout — they follow the Windows idle/lock policy of the target server.
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| "Connect" button not visible | Grant not active, or browser sessions disabled | Verify your grant is active and not expired |
| "Connection failed" error | Target server unreachable from RP-PAM | Contact your administrator — the target may be offline |
| Terminal appears but no prompt | SSH authentication failed | Contact your administrator — the stored credentials may need updating |
| RDP shows black screen | FreeRDP worker failed to render initial screen | Click Disconnect and Connect again; check RP-PAM system logs for frame errors |
| First connect fails, retry works | Previous RDP session still active on target | Wait a few seconds and click Connect again; RP-PAM retries automatically |
| RDP connect fails with "access denied" | Managed account not in Remote Desktop Users on target | Follow the GPO setup in "RDP Target Server Prerequisites" above |
| Clipboard paste does not work | Clipboard policy set to "disabled" or "copy-out only" | Contact your administrator about the clipboard policy |
| Session disconnects unexpectedly | Grant expired or idle timeout reached | Request an extension before expiry, or keep the session active |
| "Maximum concurrent sessions" error | Too many open sessions | Close an existing session before opening a new one |
Next Steps¶
- Access Requests — How to request access to resources
- Approval Workflows — Understanding the approval process
- Log Collection — Session events in the audit log
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.