Symantec Privileged Access Management

Expand all | Collapse all

About Password Update Logic on AD Managed Accounts

  • 1.  About Password Update Logic on AD Managed Accounts

    Posted 11-06-2020 06:19 PM
    Edited by Sebastiano Alighieri 11-10-2020 08:28 AM
    i'm working on PAM 3.3.2 for a client that is due to go live in 10 days.

    We need to manage AD Accounts by way of a Master AD account. So we on-board and configure those accounts accordingly.

    When I try to force change the password I see the behavior described in Avoid Windows Target Accounts getting locked out


    In short "FIRST PAM attempts to verify the specified credentials for the account, BEFORE Updating the credentials for the account using the master account."

    or in other words

    "The _managed_ account first tries to validate its "own" creds with the  _generated_ password not the currently verified and synchronized one; Well Of course that fails twice (once by UPN and again by DN) because the generated password is NOT the same as the current password… and only then does the Management account login."


    I see this as a potential design flaw - consider the following real-world experience for which I will provide some anecdotal evidence to support my finding (see screenshots further below).

    NOTE: Before I try to force spin the password on the managed account I confirm that the password is indeed valid by (a) validating in PAM and (b) auto-connecting to a target windows member server device with that account. So We know the password is correct.

    ====== excerpt from the Catalina log ============
    Nov 06, 2020 6:29:01 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
    INFO: Failed authentication to Active Directory using distinguished name 'CN=*******,OU=Users,OU=PAM,OU=CORE,DC=domain,DC=net' for account '******' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580 ]'

    Nov 06, 2020 6:29:02 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager bindUsingUserPrincipalName
    INFO: Failed authentication to Active Directory using user principal name '*******@*****.net' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580 ]'
    ================================================

     52e == invalid credentials.


    Consider what could happen if the Account Lock out policy was set to 1 failed attempt in a target domain.  PAM would lock out the managed account every time a PAM admin or Job were trying to force-spin the password.

    If PAM must first validate the managed account's password, then shouldn't it do so with the _current_ password, not the generated one?


    I appreciate your thoughts.

    enjoy your weekend



    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------
    ​​​​​


  • 2.  RE: About Password Update Logic on AD Managed Accounts

    Broadcom Employee
    Posted 11-06-2020 06:46 PM
    Hi Sebastiano, PAM may lock the account, but it would also unlock it when the service account updates the password, see https://knowledge.broadcom.com/external/article?articleId=129646. Make sure your service account has the privilege to unlock the managed accounts. This comes up frequently. Newer connectors, like the Windows Remote target connector, do not try to attempt logon with the new password first. But so far the logic for the AD connector, and multiple other connectors, has not changed. The logic makes sense when you add a new account to PAM, where you typically would provide the current correct password, or when you manually update the password of an existing target account. It does not make sense when PAM generates a new password, but the affected connectors currently have no switch for the two cases.


  • 3.  RE: About Password Update Logic on AD Managed Accounts

    Posted 11-09-2020 09:07 AM
    Thank you Ralf for validating my point of view.

    I understand the logic upon initial on-boarding of the account in PAM where the account manages itself... there is no other way.

    But yes, when the AD account is managed by another AD account, then it doesn't make sense.

    Take Unix for example, we have that switch that says "verify using other account" - and for Proxy Accounts we can leverage the proxy svc account. I guess we need that option for AD accounts?

    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------



  • 4.  RE: About Password Update Logic on AD Managed Accounts

    Broadcom Employee
    Posted 11-09-2020 11:36 AM
    Hi Sebastiano, Windows does not allow for verification by other accounts. The accounts always are verified with an attempted logon as that account, for all three types of Windows connectors.


  • 5.  RE: About Password Update Logic on AD Managed Accounts

    Posted 11-09-2020 11:48 AM
    Edited by Sebastiano Alighieri 11-09-2020 11:49 AM
    Ralf,

    thanks again, but i have a couple of follow-ups.

    When an AD Account is managed by another AD account and a PAM Admin wants to force-change the password, what is the point of validating the managed account with the (NEW) _wrong_ password - twice - this is only going to cause the account lock-out counter to increase.

    Shouldn't PAM first try to validate the account with the 'current' (correct) password? Then login as the management account and force-reset the password?

    thanks again.


    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------



  • 6.  RE: About Password Update Logic on AD Managed Accounts

    Broadcom Employee
    Posted 11-09-2020 11:56 AM
    Hi Sebastiano, We discussed what PAM does, and we discussed already that this is not right in every case. I don't want to go in circles here. Customers are encouraged to have their account team contact product management to discuss improvements in product functionality. You can also use the ideation page to submit enhancement requests.


  • 7.  RE: About Password Update Logic on AD Managed Accounts

    Posted 11-09-2020 12:02 PM
    ok, understood.

    thank you for your support.

    ------------------------------
    Services Architect
    HCL Technologies Ltd
    ------------------------------



  • 8.  RE: About Password Update Logic on AD Managed Accounts

    Posted 11-24-2020 11:19 AM
    ​Hi @Sebastiano Alighieri,

    Please let me know if you raise any request in ideation . I will also upvote it  though this is a obvious design fault ​.