Symantec Privileged Access Management

​Exactly 4 days (96 hours) after initially resetting the password for the password master, the system locked out the during its attempt to rotate the password.

These are the event viewer entries:

-------------------------------------------------
Event 4625
An account failed to log on.

Subject:
 Security ID:  SYSTEM
 Account Name:  XXXXXXXXXX$
 Account Domain:  FEDERAL
 Logon ID:  0x3E7

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  xxxxxxxxxxxx-master
 Account Domain:  FEDERAL

Failure Information:
 Failure Reason:  Account locked out.
 Status:   0xC0000234
 Sub Status:  0x0

Process Information:
 Caller Process ID: 0x238
 Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:
 Workstation Name: XXXXXXXXXX
 Source Network Address: XX.XX.XX.XX
 Source Port:  32564

Detailed Authentication Information:
 Logon Process:  Advapi 
 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

----------------------------------------
Event 4776

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: xxxxxxxxxxxx-master
Source Workstation: XXXXXXXXXX
Error Code: 0xC0000234

​I was able to a manual rotation after manually resetting the password on a password master account.  This account was previously unverified.

It appears the accounts are becoming locked out.

​It appears text of the issue never got posted.

We just upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0 during the weekend.  It appears the Layer 7 PAM 3.3.0 is unable to reset passwords for accounts. It appears the change in the applications that interface with our servers are no longer able to change the passwords in version 3.3.0.  These password policies were written by me along with input from the awesome and legendary Adam Roll! They worked for 4 months under PAM 3.2.3.

For our Windows systems, we use a password master.  It keeps failing to rotate the password masters password.  The accounts that depend upon it, become unverified when the password cannot be rotatted.  On the domain, the passwords expire every 60 days.  The accounts can be rotated administratively any time.  However, the accounts must wait one day before the account can rotate its own password.

I have cleaned up 6 domains.  For our LINUX systems, we are not using a password master. As a result, the accounts are not rotating the password and being locked out.  We have over 100 local accounts on LINUX systems that unverified. 

I check the session logs on all three production appliances.  There were no entries the pertain to either resetting LINUX or Active Directory accounts.

I attached a copy of our password policy.  Does anyone have any ideas of what works with 3.3.0 versus 3.2.3?

Thanks