Symantec Privileged Access Management

  • Private Community
 View Only
Back to Library

Tech Tip - CA PAM: Troubleshooting a failed A2A Request 

Mar 07, 2017 02:00 PM

Troubleshooting a failed A2A Request
Here are the possible status codes returned from a  request for credentials by the PAM A2A client:
400 - Success

 

Problems with communication:
401 - Failed to authenticate with the Password Authority  service
402 - Unable to establish connection with client daemon
403 - Not authorized (for client daemon)
404 - Unable to establish connection with Password Authority Server
Troubleshooting these:
There may be a problem with the digest key that was set up when the A2A client first registered with the PAM server.  Perhaps your A2A client had been pointing to a different server and you are trying to point it to a new server. Perhaps you have upgraded the machine hosting your A2A client, and the hardware fingerprint has changed.
Try this first:
Invoke the 'Update Client Key' command (button on the A2A->Clients->client details page

 

If that doesn't work, try this:
1.    Stop the client daemon
2.    Delete the cache file (%CSPM_CLIENT_HOME%\cspmclient\config\data\.cspmclient.dat)
3.    Deactivate the client in the server (A2A->Clients->client details page)
4.    Restart the client daemon

 

Communication to PAM is good, but A2A request fails:

405 - No data found for specified target alias
406 - Application error. See system log for details
407 - Invalid parameters specified
409 - Unauthorized script name
410 - Unauthorized execution path
411 - Unauthorized execution user ID
412 - Unauthorized request server

 

To troubleshoot these,  look at the Failed A2A Client Request report on the Dashboard.
Date/Time    Client        Alias    Script Name    Execution User ID    Error Code
2017-03-07 11:59    IPaddress    MyAlias         MyApp    MyUser            409


Click on the underlined Date/Time - it is actually a link to more details about the failure:
Account Request Details    -  These are the details that the PAM server received for the request.  They may not be the same as you have authorized on the Mappings tab.   For a 409, you may find out that PAM received a different script name, or quite simply, after working hard to get your application integrated with the PAM client, you may have completely forgotten to add an authorization mapping for it.  That is quite common.

Statistics
0 Favorited
31 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Ralf Prigl
Apr 10, 2018 03:13 PM

If an A2A client stops working and you find errors in the client log cspmclient/log/cspm_client_log.txt like

WARNING: Mon April 09 21:00:28.184 GMT-00:00 2018 CSPMService::doPost. Failed to process event: UNKNOWN, exception: null
[Fatal Error] :1:1: Content is not allowed in prolog. ...

 

following the procedure above, steps 1-4, likely will resolve the problem. This was observed on some A2A clients after a PAM server upgrade.

Related Entries and Links

No Related Resource entered.