Symantec Privileged Access Management

Hi,

I have added windows 2016 server in CA PAM. While making auto login for this device using windows remote connector I am getting the issue:

1. Created Application using Credentials ----> Manage targets ----> Application
2. Selected Application Type - "Windows Remote" 
3. On windows Remote Tab selected Local Account
4. Created Test20 as a local account in windows 2016 server
5. While creating target Account using Application type as windows remote connector and setting the option update both the credential Manager server and the target system is throwing the attached error.

If I am using windows proxy connector then Target Account is verified as a success. 

Please advise

Regards,
Mohit Trehan

This is due to Windows UAC remote restriction. This issue occurred when the target accounts are local user accounts on the target remote computer.

To resolve the issue, perform these steps:
1.  On the Windows Server 2016 computer, open the Registry Editor aka regedit.
2.  Locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

3.  If the LocalAccountTokenFilterPolicy registry entry does not exist, create it as follows:

Original Message:
Sent: 09-12-2019 08:18 AM
From: Mohit Trehan
Subject: Verification Failed with Credential management and Target System

Hi,

I have added windows 2016 server in CA PAM. While making auto login for this device using windows remote connector I am getting the issue:

1. Created Application using Credentials ----> Manage targets ----> Application
2. Selected Application Type - "Windows Remote" 
3. On windows Remote Tab selected Local Account
4. Created Test20 as a local account in windows 2016 server
5. While creating target Account using Application type as windows remote connector and setting the option update both the credential Manager server and the target system is throwing the attached error.

If I am using windows proxy connector then Target Account is verified as a success. 

Please advise

Regards,
Mohit Trehan

You may also need to perform the following steps to fully resolve the above issue.  On some computers, you may run into the following error: PAM-CM-1119: Bad net path.

Original Message:
Sent: 09-12-2019 09:18 AM
From: Soon Leong Yap
Subject: Verification Failed with Credential management and Target System

This is due to Windows UAC remote restriction. This issue occurred when the target accounts are local user accounts on the target remote computer.

To resolve the issue, perform these steps:
1.  On the Windows Server 2016 computer, open the Registry Editor aka regedit.
2.  Locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

3.  If the LocalAccountTokenFilterPolicy registry entry does not exist, create it as follows:

4.  If the registry entry exists, then modify it by setting the Value data field to 1 as shown above.
5.  Exit Registry Editor.

Original Message:
Sent: 09-12-2019 08:18 AM
From: Mohit Trehan
Subject: Verification Failed with Credential management and Target System

Hi,

I have added windows 2016 server in CA PAM. While making auto login for this device using windows remote connector I am getting the issue:

1. Created Application using Credentials ----> Manage targets ----> Application
2. Selected Application Type - "Windows Remote" 
3. On windows Remote Tab selected Local Account
4. Created Test20 as a local account in windows 2016 server
5. While creating target Account using Application type as windows remote connector and setting the option update both the credential Manager server and the target system is throwing the attached error.

If I am using windows proxy connector then Target Account is verified as a success. 

Please advise

Regards,
Mohit Trehan

Thanks Leong. After following your provided steps on windows 2016 server. Now CA PAM remote connector is able to verify the windows 2016 server on Target Account.
Original Message:
Sent: 09-12-2019 12:33 PM
From: Soon Leong Yap
Subject: Verification Failed with Credential management and Target System

You may also need to perform the following steps to fully resolve the above issue.  On some computers, you may run into the following error:

Previously, before Windows Server 2016, the Windows Remote connector has no issue managing target accounts on remote Windows computers such as Windows Server 2012.

In Windows Server 2016, one of the security changes introduced in this version is the network access restriction. Together with the User Account Control (UAC) issue above, it is causing the Windows Remote connector to fail when attempting to manage local user accounts on remote Windows Server 2016 computers.

You will find that the Windows Remote connector worked when the local built-in administrator account is used but failed for other local user account who are members of the local Administrator group.

To resolve these issues, perform the following steps:
1.  On the Windows Server 2016 computer, open the Local Security Policy.

2. Open the Network access: Restrict clients allowed to make remote call policy shown below:

3.  Click Edit Security.

4.  Click Add.

5.  Select the user for the target account. Click Check Names to verify the selected user account. Click OK.

6.   Click OK.

7.  Click OK.

8.  Close the Local Security Policy.

9.  After this configuration, the Windows Remote connector will be able to manage target accounts on the target Windows Server 2016 computers as before.

Original Message:
Sent: 09-12-2019 09:18 AM
From: Soon Leong Yap
Subject: Verification Failed with Credential management and Target System

This is due to Windows UAC remote restriction. This issue occurred when the target accounts are local user accounts on the target remote computer.

To resolve the issue, perform these steps:
1.  On the Windows Server 2016 computer, open the Registry Editor aka regedit.
2.  Locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

3.  If the LocalAccountTokenFilterPolicy registry entry does not exist, create it as follows:

4.  If the registry entry exists, then modify it by setting the Value data field to 1 as shown above.
5.  Exit Registry Editor.

Original Message:
Sent: 09-12-2019 08:18 AM
From: Mohit Trehan
Subject: Verification Failed with Credential management and Target System

Hi,

I have added windows 2016 server in CA PAM. While making auto login for this device using windows remote connector I am getting the issue:

1. Created Application using Credentials ----> Manage targets ----> Application
2. Selected Application Type - "Windows Remote" 
3. On windows Remote Tab selected Local Account
4. Created Test20 as a local account in windows 2016 server
5. While creating target Account using Application type as windows remote connector and setting the option update both the credential Manager server and the target system is throwing the attached error.

If I am using windows proxy connector then Target Account is verified as a success. 

Please advise

Regards,
Mohit Trehan

Thanks leong for your prompt and helpful response.
Original Message:
Sent: 09-12-2019 09:18 AM
From: Soon Leong Yap
Subject: Verification Failed with Credential management and Target System

This is due to Windows UAC remote restriction. This issue occurred when the target accounts are local user accounts on the target remote computer.

To resolve the issue, perform these steps:
1.  On the Windows Server 2016 computer, open the Registry Editor aka regedit.
2.  Locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

3.  If the LocalAccountTokenFilterPolicy registry entry does not exist, create it as follows:

4.  If the registry entry exists, then modify it by setting the Value data field to 1 as shown above.
5.  Exit Registry Editor.

Original Message:
Sent: 09-12-2019 08:18 AM
From: Mohit Trehan
Subject: Verification Failed with Credential management and Target System

Hi,

I have added windows 2016 server in CA PAM. While making auto login for this device using windows remote connector I am getting the issue:

1. Created Application using Credentials ----> Manage targets ----> Application
2. Selected Application Type - "Windows Remote" 
3. On windows Remote Tab selected Local Account
4. Created Test20 as a local account in windows 2016 server
5. While creating target Account using Application type as windows remote connector and setting the option update both the credential Manager server and the target system is throwing the attached error.

If I am using windows proxy connector then Target Account is verified as a success. 

Please advise

Regards,
Mohit Trehan