Symantec Privileged Access Management

 View Only
Expand all | Collapse all

CA PAM 3.3 updateWindowsAccountPasswordWithServices. Operation not successful, message: 1331-Invalid_operation

  • 1.  CA PAM 3.3 updateWindowsAccountPasswordWithServices. Operation not successful, message: 1331-Invalid_operation

    Posted Nov 12, 2019 03:18 PM
      |   view attached
    Hi community



    WARNING
    : vie noviembre 08 09:24:32.391 COT 2019 CSPMAgentService::updateWindowsAccountPasswordWithServices. Operation not successful, message: 1331-Invalid_operation

    This error causes the password not to be changed successfully.

    The account verification process is successful, but it also generates an error message similar to the previous one, but the password is successfully verified.
    WARNING: vie noviembre 08 09:24:18.375 COT 2019 CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1326-ERROR_LOGON_FAILURE


    Support tells me that it is necessary to install the Windows Proxy agent in each Windows-type EndPoint, but in other implementations I have installed and configured a single Windows proxy and this allows to manage and change the password of the other EndPoint


    I need your support and help since it is not feasible for the client to install Windows Proxy on each server

    Attachment(s)

    txt
    cspm_client_log.txt   21 KB 1 version


  • 2.  RE: CA PAM 3.3 updateWindowsAccountPasswordWithServices. Operation not successful, message: 1331-Invalid_operation
    Best Answer

    Broadcom Employee
    Posted Nov 13, 2019 05:32 PM
    Hi Julian, you misinterpreted the logs. The account verification is successful with return value 0-NERR_Success, see the messages from 15:08:23. The failed verification attempt is part of the update process. When PAM updates the password of an account, it will always first try to logon with the new password. This is correct for the case where you configure an account and manually enter the current password in the target account. It is not really right to do it when the password is rotated, but PAM does it anyway. So this causes the failed verification at 15:07:19. Right after that we try to logon with the current password and then update it. But that comes back 14 seconds later with a 1331-Invalid_operation error. Windows error code 1331 is "This user can't sign in because this account is currently disabled.". I see two possibilities:
    (1) The Administrator account is not allowed to change its password via a remote call.
    (2) The account get disabled temporarily on the single failed logon attempt using the new password (which at that time is wrong of course as explained above).

    Reviewing the Windows Event (Security) logs on the target server should give you more information on why the password update attempt was denied. You should be able to get this to work. It is not true that the Windows Proxy has to be installed on each target server.



  • 3.  RE: CA PAM 3.3 updateWindowsAccountPasswordWithServices. Operation not successful, message: 1331-Invalid_operation

    Posted Nov 15, 2019 02:50 PM
      |   view attached
    Hi Ralf

    Thank you very much for your response, it has helped me to deepen the search for the possible error.

    Based on your comment I have managed to identify the following particularities:

    The proxy works correctly if the account to be managed is synchronized using the option "Use the following account to change password" and another account is selected to manage it.

    But if the account is synchronized using the "Account can change own password" option, it always fails when generating a password change.

    When I checked the EndPoint event viewer, I have not been able to identify anything unusual or at least nothing easy to identify at first sight. My theory is that the proxy is misinterpreting the response by the Server when the password change is made.

    Attachment(s)