Symantec Privileged Access Management

Tech Tip - CA PAM: Troubleshooting a failed A2A Request 

Mar 07, 2017 02:00 PM

Troubleshooting a failed A2A Request
Here are the possible status codes returned from a  request for credentials by the PAM A2A client:
400 - Success


Problems with communication:
401 - Failed to authenticate with the Password Authority  service
402 - Unable to establish connection with client daemon
403 - Not authorized (for client daemon)
404 - Unable to establish connection with Password Authority Server
Troubleshooting these:
There may be a problem with the digest key that was set up when the A2A client first registered with the PAM server.  Perhaps your A2A client had been pointing to a different server and you are trying to point it to a new server. Perhaps you have upgraded the machine hosting your A2A client, and the hardware fingerprint has changed.
Try this first:
Invoke the 'Update Client Key' command (button on the A2A->Clients->client details page


If that doesn't work, try this:
1.    Stop the client daemon
2.    Delete the cache file (%CSPM_CLIENT_HOME%\cspmclient\config\data\.cspmclient.dat)
3.    Deactivate the client in the server (A2A->Clients->client details page)
4.    Restart the client daemon


Communication to PAM is good, but A2A request fails:

405 - No data found for specified target alias
406 - Application error. See system log for details
407 - Invalid parameters specified
409 - Unauthorized script name
410 - Unauthorized execution path
411 - Unauthorized execution user ID
412 - Unauthorized request server


To troubleshoot these,  look at the Failed A2A Client Request report on the Dashboard.
Date/Time    Client        Alias    Script Name    Execution User ID    Error Code
2017-03-07 11:59    IPaddress    MyAlias         MyApp    MyUser            409

Click on the underlined Date/Time - it is actually a link to more details about the failure:
Account Request Details    -  These are the details that the PAM server received for the request.  They may not be the same as you have authorized on the Mappings tab.   For a 409, you may find out that PAM received a different script name, or quite simply, after working hard to get your application integrated with the PAM client, you may have completely forgotten to add an authorization mapping for it.  That is quite common.

0 Favorited
0 Files

Related Entries and Links

No Related Resource entered.