We have a PAM Cluster and each cluster node is to be accessed via an external load balancer device.
It is to observe that CA PAM disables User Accounts from it's user database while this user tries to access any of the PAM appliance in the cluster via the virtual URL or virtual IP of the load balancer.
PAM Session Logs indicate:
18.07.2018 10:16 CN=xxx,OU=...,DC=local alert -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-1167: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Account deactivated. 0 -- 0
18.07.2018 10:15 CN=xxx,OU=...,DC=local alert -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-1167: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Account deactivated. 0 -- 0
18.07.2018 10:20 CN=xxx,OU=...,DC=local login -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-0903: This account is deactivated. See your CA PAM Administrator. 0 -- 0
What is the reason for this and how to prevent this issue?
Privileged Access Manager, all versions
This issue might not happen while the user is connecting directly to the real IP/hostname of the PAM appliance instead of the Cluster VIP or Cluster URL
Please confirm if PAM’s system certificate subject is configured accordingly to match the URL of the VIP.
Make sure the fields for Common Name and Alternate Subject Names basically reflect all the URLs used to access this PAM instance.
Note, there is no line break / carriage return at the end of the list of the Alternate Subject Names
Please see this document how to configure and set the system certificate accordingly.
Moreover, please confirm in the Load Balancer to not terminate SSL , and instead tunnel SSL all the way through to PAM.
For a NetScaler load balancer this would be done by configuring SSL bridging, see e.g. https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-bridging.html.
Check to see if Cross Site Scripting Checks are disabled at all the PAM nodes as per the documentation link below.
Try the "JuniperProxyMode" feature:
(JuniperProxyMode is a special flag that can be specified when accessing the PAM login screen so that the PAM server will send its certificate along with the data to the applet.
The applet will then use this certificate and ignore the certificate from the HTTPS connection.)