We are trying to discover local accounts on target Windows 2012 or Windows 2016 servers via CA PAM (CA Privileged Access Manager). We utilize Windows Remote Target Connector within Target Application setup. The account being used belongs to local Administrators group of the target Windows server. Password verification or password update is working normally, however account discovery always yields 0 accounts. This issue affects services or tasks discovery too.
Environment
PAM version 3.1.x or later Windows 2012, Windows 2016 servers
Cause
Windows Remote Target Connector uses SMB (Server Message Block) and WMI (Windows Management Instrumentation) protocol to accomplish discovery task. Windows Remote Connector requires these ports to be open in the firewall:
SMB: port 445 WMI: port 135 and port range from 49152 to 65535 (or 1024 through 4999 for Windows 2000/Windows 2003)
If you can verify password but discovery failed then it is due to WMI ports, specifically the port range from 49152 to 65535 was blocked by Firewall. What you can do is to run Wireshark on the target Windows server and reproduce the problem. On the top filter field set the following filter tcp.dstport >= 49152 && ip.dst == <target Windows Server's IP> Note: replace <target Windows Server's IP> with the actual IP address of the target Windows server.
If you don't get any packets in the Wireshark after applying above filter then you can tell that Firewall has blocked the port range.
Resolution
Configure Firewall to open required WMI port range
Additional Information
You may configure limited range or even a static port instead of default 49152 to 65535 port range. However, this is Windows configuration and you should consult Microsoft for a suitable setting in your environment. Please refer the following available article on Microsoft websites.