Symantec Privileged Access Management

Under the Users > Manage Users tab, there isn't an option to reset a password. Is that option available in PAM and if so, where can I find it?

Hi Don,

No, it is not currently possible to reset a users AD (or LDAP) password from the PAM Users GUI. If you would like to see this as a feature in a future release I would suggest creating an Idea here on the communities!

However, if you have used a properly permissioned AD Bind Account then your users would be able to reset their own AD password from PAM in the event that their password has expired or thier account has been flagged with 'User must change change password on next logon'. That being said, with the exception of these 2 conditions users would NOT be able to change their own password through PAM either. More info on this can be found at the link below in the section titled "Active Directory Tasks":

LDAP - CA Privileged Access Manager - 3.0.2 - CA Technologies Documentation 

Snippet from page:

"When a CA Privileged Access Manager User that has been imported from AD attempts to log in following expiration or temporary replacement of an AD password, the next screen that is presented is the User Information page. The user then must use this page to change the password, which then silently propagates the update to AD."

One other option you have would be to vault the same AD accounts into the PAM Target Accounts using a Windows Domain Service or Windows Proxy Target Application. Once vaulted in PAM you could force the password to change, however if the user ever changes their password from somewhere else then PAM may end up out of sync with the AD password. While this is possible, it wouldn't generally be the best way to go for accounts whose passwords are being managed by a real user.

Let me know if there are any questions about this,

-Christian Lutz

Support Engineer

CA Technologies

Hi Lutch

You have some procedure or document on how to include the domain controller certificate in PAM, this is based on the fact that I am trying to synchronize and change the password of a domain account, but I get the following error:

Nov 28, 2018 1:34:19 AM com.ca.pam.rest.PAUtil generateExceptionFromAppCtx
SEVERE: PAM-CM-0759: Failed to verify password with target. If this problem persists then please ask your Administrator to investigate.
Nov 28, 2018 1:35:14 AM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'thomas.guaman'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate can not be retrieved from the domain controller

I thank you if you have any document or link about it

Hello Julian, There is no certificate to import into PAM. The Active Directory target connector has to connect to the LDAPS port 636. Either you didn't specify the right port in the target application, or the domain controller you are connecting to does not have the LDAPS port configured properly.

Hi Ralf

Your answer was correct, we adjusted permissions for port 636 and it worked correctly

Thanks