Symantec Privileged Access Management

Tech Tip - CA PAM: Troubleshooting a failed A2A Request 

03-07-2017 02:00 PM

Troubleshooting a failed A2A Request
Here are the possible status codes returned from a  request for credentials by the PAM A2A client:
400 - Success


Problems with communication:
401 - Failed to authenticate with the Password Authority  service
402 - Unable to establish connection with client daemon
403 - Not authorized (for client daemon)
404 - Unable to establish connection with Password Authority Server
Troubleshooting these:
There may be a problem with the digest key that was set up when the A2A client first registered with the PAM server.  Perhaps your A2A client had been pointing to a different server and you are trying to point it to a new server. Perhaps you have upgraded the machine hosting your A2A client, and the hardware fingerprint has changed.
Try this first:
Invoke the 'Update Client Key' command (button on the A2A->Clients->client details page


If that doesn't work, try this:
1.    Stop the client daemon
2.    Delete the cache file (%CSPM_CLIENT_HOME%\cspmclient\config\data\.cspmclient.dat)
3.    Deactivate the client in the server (A2A->Clients->client details page)
4.    Restart the client daemon


Communication to PAM is good, but A2A request fails:

405 - No data found for specified target alias
406 - Application error. See system log for details
407 - Invalid parameters specified
409 - Unauthorized script name
410 - Unauthorized execution path
411 - Unauthorized execution user ID
412 - Unauthorized request server


To troubleshoot these,  look at the Failed A2A Client Request report on the Dashboard.
Date/Time    Client        Alias    Script Name    Execution User ID    Error Code
2017-03-07 11:59    IPaddress    MyAlias         MyApp    MyUser            409

Click on the underlined Date/Time - it is actually a link to more details about the failure:
Account Request Details    -  These are the details that the PAM server received for the request.  They may not be the same as you have authorized on the Mappings tab.   For a 409, you may find out that PAM received a different script name, or quite simply, after working hard to get your application integrated with the PAM client, you may have completely forgotten to add an authorization mapping for it.  That is quite common.

0 Favorited
0 Files

Tags and Keywords


04-10-2018 03:13 PM

If an A2A client stops working and you find errors in the client log cspmclient/log/cspm_client_log.txt like

WARNING: Mon April 09 21:00:28.184 GMT-00:00 2018 CSPMService::doPost. Failed to process event: UNKNOWN, exception: null
[Fatal Error] :1:1: Content is not allowed in prolog. ...


following the procedure above, steps 1-4, likely will resolve the problem. This was observed on some A2A clients after a PAM server upgrade.

03-07-2017 02:22 PM

Thank you for sharing this tip with the community Margaret!

Tech Tip - CA PAM: Troubleshooting a failed A2A Request 

Related Entries and Links

No Related Resource entered.