Layer7 Privileged Access Management

Expand all | Collapse all

Active Directory Account in CA PAM

Jump to Best Answer
  • 1.  Active Directory Account in CA PAM

    Posted 06-13-2018 12:29 PM

    Hi,

     

    Can I have same AD account on-boarded in two CA PAM standalone instances and keep the same password between two PAM instance ? how can we reconcile AD accounts ?



  • 2.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:12 PM

    Just curious - what is the reason behind this query?

    Kirk



  • 3.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:17 PM

    As we have three separate environment for PAM, but having only one AD domain. and we would like to manage devices as per environment with single authentication source.



  • 4.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:26 PM

    I take it you'd be creating separate AD branches to contain the environment-specific users, devices.  Perhaps you could create an admin account for each branch.  Regardless, I can see how there would be challenges.

    Kirk



  • 5.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:41 PM

    Hi Kirk,

    User node is same in AD. and same account is being used across all devices to access and login. for example User1 will user x_user1 account to login to dev windows machine and prod windows machine.



  • 6.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:13 PM

    Hi Bipin, There is no built-in mechanism in PAM to GET password updates from other credential sources. It would require an external tool that uses API calls to retrieve target account passwords from the PAM instance that manages the accounts, and set the passwords on the other PAM instance if the current password there doesn't match.



  • 7.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:22 PM

    Thank you Ralf, we uses individual user AD account to login to all windows machine. and same account can't be managed in two separate PAM instances due to credential manager password will go out of sync. 

    Can we run any external job from PAM which trigger whenever a password change occurs in one PAM and update the password in other PAM ? 



  • 8.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:28 PM

    Bipin, You can integrate PAM with a syslog server which will get messages when an account password is updated.



  • 9.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:32 PM

    Splunk is configured as syslog server. but it is very hard to keep track of thousands accounts at a time. 



  • 10.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:46 PM

    If you configure a workflow in Splunk that spawns a task whenever a password update event is received, the task would get the new password from the PAM server that updated the password and publish it to the others. Once it works it shouldn't matter much how many accounts you have.



  • 11.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 02:11 PM

    You mean to utilize splunk for getting the recent password and update it to other PAM instance. Not sure if that is possible with current splunk infrastructure.



  • 12.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 03:26 PM

    No, that's not what I meant. I meant for Splunk to launch a task/command when a password update message is received. That external command would be your customer application that gets the password from one PAM server and sends it to the others.



  • 13.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 04:13 PM

    Got it. Let me try that option. meanwhile if you see same scenario with other customer please let me know the solution if anything else can be done. Thanks again



  • 14.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:21 PM

    Just to be clear - is the AD Account being onboarded from a single AD Domain by two standalone (separate) PAM instances (i.e. Clusters)?  I cannot grasp why this would be needed or possible.

    Kirk



  • 15.  Re: Active Directory Account in CA PAM

    Posted 06-13-2018 01:24 PM

    Yes, same single AD domain and same AD account. we want to separate the servers based on environment like preprod and prod.



  • 16.  Re: Active Directory Account in CA PAM
    Best Answer

    Posted 06-20-2018 10:25 AM

    BipinSh

     

    I would think that is outside the scope of what CA PAM can do. As , I believe Ralf mentioned,  you may be able to script or code a process to synchronize the password change but that is not something CA would support and could cause confusion in the future. It is not recommended that any 2 separate (not in the same cluster) PAM appliances manage or rotate credentials.

     

    Joe