Error Launching a PRA session Unauthorized: Failed to create a session
Delinea Platform (Secret Server) utilize the Privileged Remote Access (PRA), previously known as Remote Access Servers (RAS) to remotely launch sessions. These sessions are brokered by the PRA server/s within your environment. If you get the following error: Unauthorized: Failed to create a session when launching an SSH session, check the following.
Browser Compatibility (Firefox issues)
There are intermittent issues with browser versions across the Delinea platform. While not recognized as an ‘official’ problem, try avoiding using Firefox and instead use a chromium browser.
Install Delinea Protocol Handler
The Delinea protocol handler should be installed on the machine you are launching the sessions from. You can download the handler from inside the Delinea platform and should be prompted to download the software when launching a session
Managing Multiple Secret Server Instances with Protocol Handlers and Launchers | Delinea
SSH Installed on Linux Machine
Log into the server with the error and ensure the following requirements are met:
- PRA supports versions OpenSSH_7.4p1, OpenSSL 1.0.2k-fips and up to version OpenSSH_8.x, OpenSSL 1.1.1k.
- The newest version of OpenSSH is 9.x. This version may function but is not yet fully supported.
- Older versions may still function but are not supported.
To check the version on your machine use the following command:
- ssh -V
To check SSHD is running and listening:
- netstat -plnt
Confirming this is running the correct version and listening on the right ports will validate this is not your issue. The default ports for ssh need to be configured the same (typically port 22) in both the Delinea Platform and on the Linux machine you are launching the session too.
Checking the Target Servers Logs
Use the following commands to see the current logins for the server:
- Debian/Ubuntu
- tail -f /var/log/auth.log
- RHEL/Redhat 7 & 8/Amazon
- tail -f /var/log/secure
-From the delinea Documentation:-
Check if the users request is getting to the target server.
- Run the command above
- From the web UI select the secret for the target server you are logged into.
- From the SSH shell check the logs:
- Is the request showing up in the logs? If not then check the “Machine” data in the secret is correct.
Check if the users request is being rejected:
- From the web UI select the secret for the target server you are logged into.
- From the SSH shell check the logs:
- Does the log entry contain an error e.g. “Invalid user “, “Incorrect password” or “Invalid public key”? If so check the secret data and confirm the password, private/public key or key passphrase is correct.
Getting better error logs from this server can help troubleshoot this issue further.