Symantec Privileged Access Management

  • Private Community

  • 1.  domain account login issue to member server of domain

    Posted Dec 15, 2015 06:39 AM

    1. Env
    1) AD with domain jp.com
    - Windows 2008 R2 Enterprise sp1
    - CA ControlMinder 12.8

    2) Member server of Domain jp.com
    - Windows 2008 R2 Enterprise sp1
    - CA ControlMinder 12.8

    3) Client PC
    - Windows 7

     

    2. test case
    1) Client PC Login to the member server as domain account osf remote desktop users group using Remote Desktop
    2) Got the error as follows
    - "Login failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced"



  • 2.  Re: domain account login issue to member server of domain

    Broadcom Employee
    Posted Dec 17, 2015 12:22 PM

    jpjung.1 Good morning. Want to make sure understanding the context of your issue. Is this SAM related utilizing Proxy server? Is this issue that after deploying the 12.8 Agent on the Windows member server you are no longer able to login with a domain account? If the latter is login successful once the agent is shutdown? What logs if any are you able to get from the PIM agent when a login attempt is made/native event system logs?



  • 3.  Re: domain account login issue to member server of domain

    Posted Dec 18, 2015 04:23 AM

    this issue is the latter. Login successful if stopped the agent on the AD Server.

    when started the agent on the AD and tried to login to member server, there is no log on both pim agent log and system event log  on the member server.



  • 4.  Re: domain account login issue to member server of domain

    Broadcom Employee
    Posted Dec 23, 2015 08:44 PM

    The behavior as noted in additional replies is extremely unusual for an default agent deployment. Are there any post installation configurations you performed i.e. rule modifications? Are you already working with support on this item in which configurations have been uploaded?

     

    To better evaluate:

     

    Turn on tracing on endpoint

    Attempt login

    Turn off tracing on endpoint

     

    This will expose if the interaction is taking place at the agent and what the response would be. I'm a bit perplexed that the seaudit log is showing no entry as by default a Login action (Permit or Deny) should be getting logged. Further review of the trace and endpoint configuration would be needed to pinpoint the issue.

     

    I'll touch base against after the holiday see if made any headway.



  • 5.  Re: domain account login issue to member server of domain

    Posted Dec 22, 2015 04:08 AM

    Hello jpjung.1

    what is the policies applied on the TCP or LOGINAPPL in the ControlMinder environment ..

    out-of-the-box rules does not block any access and the _default rule for everything is permit ...

    if stopping the agent solve the issue , so it must be some rule that prevent RDP.

     

    thanks



  • 6.  Re: domain account login issue to member server of domain

    Posted Dec 23, 2015 07:13 PM

    No, not any policies on tcp, loginappl, terminal.

     

    thanks,



  • 7.  Re: domain account login issue to member server of domain

    Posted Dec 23, 2015 08:04 PM

    well this does not happened by usual installation of the CA ControlMinder ,,, the _default in all class action is permit...

    try to remove all policies you have applied in order to filter what drive the endpoint to act like that



  • 8.  Re: domain account login issue to member server of domain

    Broadcom Employee
    Posted Jan 05, 2016 06:06 AM

    jpjung.1, is your question answered? If yes, can you please mark it as answered?