Symantec Privileged Access Management

Expand all | Collapse all

CA PAM - Local Services and Account discovery using Windows Proxy

  • 1.  CA PAM - Local Services and Account discovery using Windows Proxy

    Posted 11-12-2018 11:59 AM

    Hello everyone,

     

    What are the necessary permissions/configurations that we need to have on an endpoint in order to be able to discover local accounts and the services they manage? At some of the remote endpoints that i have tried doing account discovery it worked(but it doesn't return any services), and at other times in account discovery logs it says -2147024891- ERROR_ACCESS_DENIED.

     

    Firewall is not an issue, it has the same ports opened for the devices that don't work like the devices that work, and the account that we use for the discovery has the same permission on all servers. Version of the appliance is 3.2.2

     

    Best regards,

    Nikola



  • 2.  Re: CA PAM - Local Services and Account discovery using Windows Proxy

    Broadcom Employee
    Posted 11-15-2018 09:21 AM

    Hello Nikola, In general the requirements listed in "Prerequisites for Using the Windows Remote Connector" on page https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/identify-target-applications-and-connectors/add-a-windows-remote-target-connector should be sufficient for remote account management using the Windows Proxy as well. The question is what account you are using to do the discovery. Can you clarify that?



  • 3.  Re: CA PAM - Local Services and Account discovery using Windows Proxy

    Posted 11-15-2018 09:27 AM

    Hi Ralf,

     

    Thank you for the quick reply. The account is a local admin on the remote Windows endpoint, but it is strange that i can manage the account password just fine, but when i do a discovery with that account it says "ACCESS DENIED".

     

    I will look into these permissions when i have time, but i am not sure if that might be the issue.

     

    Best regards,

    Nikola



  • 4.  Re: CA PAM - Local Services and Account discovery using Windows Proxy

    Broadcom Employee
    Posted 11-15-2018 11:24 AM

    The Windows Proxy log cspmclient\log\cspm_client_log.txt should contain the access denied message. This gives you the time stamp to check on Windows Event logs on the target device, specifically the Security logs. They should give you information on why the logon was denied. Look for any mismatch in account or domain name if it's not a permissions issue.