Products
Applications
Support
Company
How To Buy
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Register
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Home
Communities
All Communities
Enterprise Software
Mainframe Software
Symantec Enterprise
Blogs
All Blogs
Enterprise Software
Mainframe Software
Symantec Enterprise
Events
All Events
Enterprise Software
Mainframe Software
Symantec Enterprise
VMware
Water Cooler
Groups
Enterprise Software
Mainframe Software
Symantec Enterprise
Members
Symantec Privileged Access Management
Back to Library
upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0..no PW rotation!
0
Recommend
Oct 24, 2019 11:37 AM
Tarek Hamdy
Statistics
0 Favorited
20 Views
2 Files
0 Shares
183 Downloads
Attachment(s)
Download All
LINUXPWPolicy.PNG
38 KB
1 version
Uploaded - Oct 24, 2019
Download
WindowsDomainPWPolicy.PNG
37 KB
1 version
Uploaded - Oct 24, 2019
Download
Download Document
Please accept the terms of the copyright associated with this attachment before downloading it. Click the link below to read the terms.
Accept
Tags and Keywords
Comments
Tarek Hamdy
Oct 24, 2019 01:39 PM
Exactly 4 days (96 hours) after initially resetting the password for the password master, the system locked out the during its attempt to rotate the password.
These are the event viewer entries:
-------------------------------------------------
Event 4625
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: XXXXXXXXXX$
Account Domain: FEDERAL
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxxxxxxxxxxx-master
Account Domain: FEDERAL
Failure Information:
Failure Reason: Account locked out.
Status: 0xC0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x238
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: XXXXXXXXXX
Source Network Address: XX.XX.XX.XX
Source Port: 32564
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
----------------------------------------
Event 4776
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: xxxxxxxxxxxx-master
Source Workstation: XXXXXXXXXX
Error Code: 0xC0000234
Tarek Hamdy
Oct 24, 2019 12:57 PM
I was able to a manual rotation after manually resetting the password on a password master account. This account was previously unverified.
It appears the accounts are becoming locked out.
Tarek Hamdy
Oct 24, 2019 12:41 PM
It appears text of the issue never got posted.
We just upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0 during the weekend. It appears the Layer 7 PAM 3.3.0 is unable to reset passwords for accounts. It appears the change in the applications that interface with our servers are no longer able to change the passwords in version 3.3.0. These password policies were written by me along with input from the awesome and legendary Adam Roll! They worked for 4 months under PAM 3.2.3.
For our Windows systems, we use a password master. It keeps failing to rotate the password masters password. The accounts that depend upon it, become unverified when the password cannot be rotatted. On the domain, the passwords expire every 60 days. The accounts can be rotated administratively any time. However, the accounts must wait one day before the account can rotate its own password.
I have cleaned up 6 domains. For our LINUX systems, we are not using a password master. As a result, the accounts are not rotating the password and being locked out. We have over 100 local accounts on LINUX systems that unverified.
I check the session logs on all three production appliances. There were no entries the pertain to either resetting LINUX or Active Directory accounts.
I attached a copy of our password policy. Does anyone have any ideas of what works with 3.3.0 versus 3.2.3?
Thanks
Related Entries and Links
No Related Resource entered.
Copyright 2019. All rights reserved.
Powered by Higher Logic