Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  Privileged Accounts in AD getting Locked

    Posted Sep 06, 2022 10:22 AM
    Privileged Accounts are in Active Directory that are mainly used for RDP to servers. The Password View Policy is to "Change Password on Session End". Some Admins do not logout from servers (they just close the session) but they logout from PAM so the password for the Privileged Account is changed in AD. This is causing the Privileged Account to be locked out in AD as some server/s have the old password. Any best practice or suggestion to avoid this problem?

    Thanks in advance.


  • 2.  RE: Privileged Accounts in AD getting Locked

    Broadcom Employee
    Posted Sep 06, 2022 01:50 PM
    Hi Samer, I am not aware of disconnected RDP sessions causing account logouts. Do you have specific evidence that this is what is happening? The PAM account update process will start with two login attempts using the new password, which will fail. We've seen this action causing accounts to get locked, see KB 189158. Are the accounts configured to change their own password, or is a service account configured to do it?
    Original Message


  • 3.  RE: Privileged Accounts in AD getting Locked

    Posted Sep 07, 2022 09:16 AM
    Hi Ralf,
    Thank you for your response. Yes we are facing the issue of Account Locked Out in AD, if the user does not logoff from the server but he logs out of PAM. AD Team confirmed that the account is locked out due to failed login attempts coming from servers. It is possible that the user is running a service/application with the privileged account. A service account is configured in PAM to change the password in AD. Account Lockout policy, in AD, is set to 5 failed attempts. Currently we have 2 users whose accounts are locked in AD and they have access to about 70 servers in PAM. We are trying to find out the list of servers, from AD, and logout the user but it's a lengthy process. Any suggestions to avoid this issue will be helpful.
    Note: Windows UAC is enabled on the servers so for any admin task, the user has to provide the credentials that he copies from PAM.
    Thanks.

    Original Message


  • 4.  RE: Privileged Accounts in AD getting Locked

    Broadcom Employee
    Posted Sep 07, 2022 09:29 AM

    Samer,

    The reason you are getting lock outs is because any logged in session has to renew it's Kerberos Ticket Granting Ticket (TGT) periodically.  If the account password is changed, the TGT cannot be renewed and must be reissued.  When the session requests a new TGT it uses the users long term key, which is no longer valid because the password was changed.  This is identified as a failed authentication attempt and after several retries will lock the account.

    There are ways to fix this by changing the expiration on the Kerberos tickets, but I would highly recommend not doing that to resolve this issue unless you really understand what your doing.


    Fortunately this is a common issue for our customers that is easily resolved via group policy.  Here are GPO settings we recommend for any Windows servers that you will access via PAM:


    1. GPO-Set time limit for disconnected sessions
      1. Enabled
      2. 3hrs
    2. GPO-Set time limit for active but idle Remote Desktop Sessions
      1. Enabled
      2. 3hrs

    Obviously you will want to adjust for your environment, however the critical one for your issue is #1.  This causes disconnected sessions to be logged out after 3 hours (or whatever value you set).  This prevents a disconnected session from trying to renew the TGT and causing a lockout.

    Original Message


  • 5.  RE: Privileged Accounts in AD getting Locked

    Broadcom Employee
    Posted Sep 13, 2022 08:09 AM
    Samer

    Based on the description a new feature in 4.1.1 may be helpful. There is now additional options to allow for some user control on idle connection timeouts. You might also want to look at implementing this feature after upgrading to 4.1.1

    Original Message