Symantec Privileged Access Management

 View Only
  • 1.  Password Management with CA PAM

    Posted Mar 20, 2017 03:45 AM

    Hi,

     

    We are trying to manage the password for the target server(Windows in our case ) using CA PAM. We on-boarded the target server, created account, application and policies as well, but the problem we are facing is, CA PAM is not able to generate the password after check-in check-out. CA PAM is not able to manage the password for the target server. Every time user check-out's the account, we need to manually provided the password to the account and perform the verification step.

     

    Thanks in advance,

    Vasu



  • 2.  Re: Password Management with CA PAM

    Broadcom Employee
    Posted Mar 21, 2017 10:50 AM

    Hi Vasu,

    When you mention it is not able to generate the password does this only happen on check in and check out ? I mean, if you open the account and generate a password, and then you try to make it update the target account and the password server, does it work ? If it does not, what error do you find ?

    On the other hand, what kind of account is it (local, domain...) and how is the application configured for the target server? What kind of password view policy have you defined ? Do you see any error in the windows machine ? Is the account able to change its own password ?

    Here the catalina log may help as well

    Best



  • 3.  Re: Password Management with CA PAM

    Posted Mar 22, 2017 07:38 AM

    Hi Miquel,

    I mean, for the First time when we do generate password , PAM generate's a password and updates the account at server end, but post that, whenever we try to check-in / checkout the account , PAM display's error "Account not sync, Password not verified". 

     

    Account is a domain account for which we have created a domain service application. We do have created a password policy to change password on view and check-in/check-out.

     

    Thanks,

    Vasu



  • 4.  Re: Password Management with CA PAM

    Broadcom Employee
    Posted Mar 22, 2017 08:01 AM

    Hi Vasu

    I'll take it here the account is verified

    If you go to the account page and you try to change the account's password, what happens ? Does it change the password or not ? If this is a WDS application then windows should be able to change the password  as well. Does it happen ?



  • 5.  Re: Password Management with CA PAM

    Broadcom Employee
    Posted Mar 22, 2017 10:38 AM

    Also check the catalina log and the AD log. These may help



  • 6.  Re: Password Management with CA PAM
    Best Answer

    Broadcom Employee
    Posted Mar 22, 2017 02:43 PM

    Hi Vasu,

     

    As Miquel said, the catalina (Tomcat) logs would be the place to check in PAM. First you should set the log level to INFO, then reproduce the issue. Then you can find errors like the one below which may tell you more about why it failed:

    INFO: Failed authentication to Active Directory using account 'jondu01' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]' javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580]

       In this case I got LDAP error code 49, with sub-error 52e. A quick google search shows that this specific error means "Invalid credentials". After updating credentials it works fine.

     

    Or like this one:

    SEVERE: Failed to update password in Active Directory javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]; remaining name 'CN=administrator,CN=Users,DC=hilltop,DC=lab'

       In this case I got error code 50 (INSUFF_ACCESS_RIGHTS), which means the account I tried to use for password rotation does not have the proper privileges.

     

    If you choose to do this, remember to set the log level back to WARNING when you are done or you may run into HDD space problems!

     

    In AD you would check the Event Viewer Security Log for logon events. It is a bit harder to check through AD though, because these are local logs on the DC, meaning you would need to check every DC for the log & it will not go to the same one every time (unless there is only one DC in the environment).

     

    You should also ensure that your AD is able to use LDAP over SSL (usually on port 636). If not, WDS will not work properly and would display generic messages like the ones you are seeing.

     

    Hope this helps,

    -Christian



  • 7.  Re: Password Management with CA PAM

    Broadcom Employee
    Posted Mar 24, 2017 09:51 AM

    Hi Vasu

    Since this seems more complex than expected, our recommendation is to turn this into a support case. The comments we made earlier, both Christian and myself should help to get you going as far as first steps. However, if this does not help, please open a support case and we will be happy to assist