While logged on to CA PAM as a global administrator using Firefox ESR 52 an attempt to enable a disabled user imported from Active Directory fails. After clicking the Save button, the following message pops up: "Passwords do not match" and the user update is not saved.
There is no problem saving the change when using the CA PAM client or IE11 to connect to CA PAM.
For an imported user the details page hides the password fields as the password is not stored in PAM, but the fields still exist in the form. They should be empty for an imported user, and this is true when connected via the CA PAM client or via IE11, but Firefox populates one of them automatically with a saved password causing a mismatch.
Under Firefox Security options either uncheck "Remember logins for sites" or add exceptions for your CA PAM hosts. We recommend to never let a browser save credentials for logon to PAM.