I created a new PAM server to mirror a test PAM server and created a rule to audit user logins via RDP (Direct RDP Session). However, authentication always fails. I've looked at the settings in both the old and new server and they all match so I'm stumped as to what the problem is.

The rule in question:


The "Data Center" group mirrors what is on the old PAM Server, as does the Windows wcc credential. unifid.log from the new PAM server shows:
Wed May 30 12:22:13 2018, 78, 1433954048, 2908, Info, cmdctrl request denied for '<rdpDirect> WCC\C00000039@v3tsw00422' from C00000039@v3tsw00422
while unifid.log from the old PAM server shows:
Wed May 30 12:18:44 2018, 886, 1262679808, 13775, Info, cmdctrl request accepted for '<rdpDirect> WCC\C00000039@v3tsw00421' from C00000039@v3tsw00421 as wcc\SubmitUser@v3tsw00421
Anyone have any ideas? Both the old and new wcc domain have the SubmitUser credential.