Symantec Privileged Access Management

  • 1.  Locked Target Account in CA PAM

    Posted Apr 06, 2018 10:46 AM

    We are facing an issue where our LDAP bind account is getting locked in Active Directory frequently. and PAM is unable to verify credential if account is locked at the target.

     

    can someone please help and let us know how to handle locked target accounts in CA PAM ? Nothing is showing is PAM logs and neither in windows event logs from AD. how to handle this scenario ?



  • 2.  Re: Locked Target Account in CA PAM

    Broadcom Employee
    Posted Apr 06, 2018 03:58 PM

    Hi Bipin, Can you clarify the problem? Do you think PAM is the cause of the account getting locked? If so, what is the evidence? Is the account managed through PAM, meaning PAM rotates the password of this account regularly, or is the password changed outside of the control of PAM?



  • 3.  Re: Locked Target Account in CA PAM

    Posted Apr 06, 2018 04:12 PM

    The account is managed thru PAM. and Password also gets rotated via PAM. We assume that PAM is causing the account to be locked. No one has access to this account outside.



  • 4.  Re: Locked Target Account in CA PAM
    Best Answer

    Broadcom Employee
    Posted Apr 12, 2018 12:30 PM

    Hi Bipin,  

    How often is the account getting rotated?  Is it within the scope of your policies for password rotation?   How many failed logins are allowed on Active Directory before an account is locked out? 

     

    You might have to open a support ticket to track this down.

    You can change the following log levels and monitor until you get another lockout.  Then after the new lockout, collect the logs. bin and the catalina.out and change the levels back to avoid getting large log files.

    Tomcat Log Level: Config

    LDAP Sync Log Level: Verbose.

    When you submit the logs, let the support person know the date and time of the account lockout.