Trouble Shooting Tips for LDAP+RSA authentication implementation in CA PAM
search cancel

Trouble Shooting Tips for LDAP+RSA authentication implementation in CA PAM

book

Article ID: 10600

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

We are failing to authenticate to the CA PAM Client using LDAP+RSA method.

In the PAM session logs we see error codes 18074 and 18002.

What needs to be checked to reveal the root cause of this issue.



Environment

Release:
Component: CAPAMX

Resolution

1. Reconfigure CA PAM to LDAP only authentication and confirm that users can successfully authenticate via LDAP only

2. In Config / 3rd Party / RSA make sure that sdopts.rec has been loaded.

    (Unlike the text in the User Interface implies, this is is a mandatory step in PAM 3.x. If needed an empty file with this name, containing only a single # character, can be used)

3. Clear the Node secret after uploading the sdconf.rec and sdopts.rec. Then best reboot the PAM appliance to allow initiation of the communication from PAM to the RSA Server.

4. When configuring PAM as an Authentication Agent on the RSA server, use the short hostname of the PAM server as hostname of the authentication agent.
    PAM will send the short hostname configured in PAM network configuration to the RSA server.


In the following example (which is the most common setup), PAM's RSA Client will contact RSA server using <hostname> hostname.

In case if you have configured using a FQHN in the hostname, PAM's RSA Client will contact RSA server using "hostname.example.com" hostname.

This hostname MUST Match the Trusted Agent's Hostname registered at the RSA Server.


In case if the hostname does not match the Trusted Agent Hostname registered at the RSA Server, PAM aceclnt.log will report the following error.

119-08-11 00:00:01 1234567890.12345-1234567890 [E] error AgentConfigHandler.cpp 140 Agent not found on AM. Check the Agent name in Config file


Update the RSA Server Trusted Agent Name to match PAM hostname and issue a new sdconf.rec file and import into PAM Server.

You must DELETE the "Node Secret" before testing.

1st Login Attempt will fail and that is where the new sdconf.rec gets deployed.

2nd and subsequent login will succeed.


5. Confirm that TCP port 5500 is open from PAM to the RSA server (Check with PAM / Config / Tools / Port Scan).
    Confirm with your RSA Administrator that this one has not been changed from the default. 

6. Try deleting the LDAP group once more and redo the import.
    Try setting the Authentication Method to RSA only this time. 

7. Confirm that the user is defined in the RSA Server accordingly with the same sAMAcccountName.

8. Also make sure that time is in sync between the RSA Server, PAM Server, PAM Client and the RSA Token devices.
 

Additional Information

 

 

Powered by Wolken Software