diff --git a/server/shadow/X11/x11_shadow.c b/server/shadow/X11/x11_shadow.c

index e6a67b15d..924a8f415 100644

--- a/server/shadow/X11/x11_shadow.c

+++ b/server/shadow/X11/x11_shadow.c

@@ -23,6 +23,7 @@

 #include <stdlib.h>

 #include <string.h>

 #include <unistd.h>

+#include <grp.h>

 #include <sys/ipc.h>

 #include <sys/shm.h>

@@ -158,6 +159,8 @@ static int x11_shadow_pam_authenticate(rdpShadowSubsystem* subsystem, rdpShadowC

 	SHADOW_PAM_AUTH_INFO info = { 0 };

 	WINPR_UNUSED(subsystem);

 	WINPR_UNUSED(client);

+    struct group *eff_group;

+    int real_gid, init_eff_gid, re;

 	if (!x11_shadow_pam_get_service_name(&info))

 		return -1;

@@ -175,21 +178,26 @@ static int x11_shadow_pam_authenticate(rdpShadowSubsystem* subsystem, rdpShadowC

 		return -1;

 	}

+	/* setegid with group chkpwd to check passwords by pam_tcb */

+	real_gid = getgid();

+	eff_group = getgrnam("chkpwd");

+	if (eff_group != NULL) {

+		init_eff_gid = eff_group->gr_gid;

+		re = setegid(init_eff_gid);

+		if (re == -1)

+			WLog_ERR(TAG, "pam_authenticate setegid(%d) failed", init_eff_gid);

+	}

+

 	pam_status = pam_authenticate(info.handle, 0);

 	if (pam_status != PAM_SUCCESS)

 	{

+		setegid(real_gid);

 		WLog_ERR(TAG, "pam_authenticate failure: %s", pam_strerror(info.handle, pam_status));

 		return -1;

 	}

-	pam_status = pam_acct_mgmt(info.handle, 0);

-

-	if (pam_status != PAM_SUCCESS)

-	{

-		WLog_ERR(TAG, "pam_acct_mgmt failure: %s", pam_strerror(info.handle, pam_status));

-		return -1;

-	}

+	setegid(real_gid);

 	return 1;

 }