A client recently shared this screenshot with me and wonders how can GENERIC accounts show up as verified / failed verification when, by definition, GENERIC accounts are vault-only account and not synched against a target system?
Hi Seb, This is not normal. Like you say generic accounts cannot be verified, and they don't show status on my PAM instance. Is it possible that the target application type was different at one point in time? And how were the accounts created, manually, via Remote CLI, via the Rest API, any other way?
Since these are SYBASE SA accounts, the plan was always to on-board with application type GENERIC.
The accounts may have been created via XSIE.
I suspect that an XSIE import is behind this, but I cannot comment on how XSIE publishes target accounts, as that tool is not part of PAM. I tried publishing generic accounts using the remote CLI and was not able to see this problem with PAM 3.2.4, even when explicitly setting properties for lastVerified and passwordVerified. Your import data may have been derived from other types of accounts with a lot of attributes set that are not right for generic accounts.
Turns out XSIE was the culprit.
The CSV file used to bulk upload with XSIE contains a column labeled 'Synchronize'; this controls the selection of the "Synchronization" options on the Password tab of the Account... and it completely disregards that it's a GENERIC account.
Re-importing those accounts with that Column set to FALSE fixes the issue.