PAM Windows Remote Connector Unable to Discover Local Accounts

book

Article ID: 105959

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to discover local accounts on target Windows 2012 or Windows 2016 servers via CA PAM (CA Privileged Access Manager). We utilize Windows Remote Target Connector within Target Application setup. The account being used belongs to local Administrators group of the target Windows server. Password verification or password update is working normally, however account discovery always yields 0 accounts. This issue affects services or tasks discovery too.

Cause

Windows Remote Target Connector uses SMB (Server Message Block) and WMI (Windows Management Instrumentation) protocol to accomplish discovery task. Windows Remote Connector requires these ports to be open in the firewall:

SMB: port 445
WMI: port 135 and port range from 49152 to 65535 (or 1024 through 4999 for Windows 2000/Windows 2003)

If you can verify password but discovery failed then it is due to WMI ports, specifically the port range from 49152 to 65535 was blocked by Firewall. What you can do is to run Wireshark on the target Windows server and reproduce the problem. On the top filter field set the following filter
       tcp.dstport >= 49152 && ip.dst == <target Windows Server's IP>
Note: replace <target Windows Server's IP> with the actual IP address of the target Windows server.

If you don't get any packets in the Wireshark after applying above filter then you can tell that Firewall has blocked the port range.

Environment

PAM version 3.1.x or later
Windows 2012, Windows 2016 servers

Resolution

Configure Firewall to open required WMI port range

Additional Information

You may configure limited range or even a static port instead of default 49152 to 65535 port range. However, this is Windows configuration and you should consult Microsoft for a suitable setting in your environment. Please refer the following available article on Microsoft websites.

https://support.microsoft.com/en-au/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls

https://docs.microsoft.com/en-us/windows/desktop/WmiSdk/setting-up-a-fixed-port-for-wmi