Layer 7 Privileged Access Management

Expand all | Collapse all

Verification Failed with Credential management and Target System

Jump to Best Answer
  • 1.  Verification Failed with Credential management and Target System

    Posted 09-12-2019 08:18 AM
      |   view attached
    Hi,

    I have added windows 2016 server in CA PAM. While making auto login for this device using windows remote connector I am getting the issue:

    1. Created Application using Credentials ----> Manage targets ----> Application
    2. Selected Application Type - "Windows Remote" 
    3. On windows Remote Tab selected Local Account
    4. Created Test20 as a local account in windows 2016 server
    5. While creating target Account using Application type as windows remote connector and setting the option update both the credential Manager server and the target system is throwing the attached error.

    If I am using windows proxy connector then Target Account is verified as a success. 

    Please advise

    Regards,
    Mohit Trehan


  • 2.  RE: Verification Failed with Credential management and Target System

    Posted 09-12-2019 09:18 AM
    This is due to Windows UAC remote restriction. This issue occurred when the target accounts are local user accounts on the target remote computer.

    To resolve the issue, perform these steps:
    1.  On the Windows Server 2016 computer, open the Registry Editor aka regedit.
    2.  Locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

    3.  If the LocalAccountTokenFilterPolicy registry entry does not exist, create it as follows:


    4.  If the registry entry exists, then modify it by setting the Value data field to 1 as shown above.
    5.  Exit Registry Editor.




  • 3.  RE: Verification Failed with Credential management and Target System
    Best Answer

    Posted 09-12-2019 12:34 PM
    Edited by Soon Leong Yap 09-15-2019 10:24 PM
    You may also need to perform the following steps to fully resolve the above issue.  On some computers, you may run into the following error: PAM-CM-1119: Bad net path.

    Previously, before Windows Server 2016, the Windows Remote connector has no issue managing target accounts on remote Windows computers such as Windows Server 2012.

    In Windows Server 2016, one of the security changes introduced in this version is the network access restriction. Together with the User Account Control (UAC) issue above, it is causing the Windows Remote connector to fail when attempting to manage local user accounts on remote Windows Server 2016 computers.

    You will find that the Windows Remote connector worked when the local built-in administrator account is used but failed for other local user account who are members of the local Administrator group.

    To resolve these issues, perform the following steps:
    1.  On the Windows Server 2016 computer, open the Local Security Policy.


    2. Open the Network access: Restrict clients allowed to make remote call policy shown below:


    3.  Click Edit Security.


    4.  Click Add.

    5.  Select the user for the target account. Click Check Names to verify the selected user account. Click OK.

    6.   Click OK.

    7.  Click OK.

    8.  Close the Local Security Policy.

    9.  After this configuration, the Windows Remote connector will be able to manage target accounts on the Windows Server 2016 computers as before.




  • 4.  RE: Verification Failed with Credential management and Target System

    Posted 09-13-2019 02:48 AM
    Thanks Leong. After following your provided steps on windows 2016 server. Now CA PAM remote connector is able to verify the windows 2016 server on Target Account.


  • 5.  RE: Verification Failed with Credential management and Target System

    Posted 09-13-2019 02:47 AM
    Thanks leong for your prompt and helpful response.