ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
PAM disables User Accounts while logon via Load Balancer
Article ID: 107680
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)CA Privileged Access Manager (PAM)
We have a PAM Cluster and each cluster node is to be accessed via an external load balancer device. It is to observe that CA PAM disables User Accounts from it's user database while this user tries to access any of the PAM appliance in the cluster via the virtual URL or virtual IP of the load balancer.
PAM Session Logs indicate: ... 18.07.2018 10:16 CN=xxx,OU=...,DC=local alert -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-1167: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Account deactivated. 0 -- 0 18.07.2018 10:15 CN=xxx,OU=...,DC=local alert -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-1167: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Account deactivated. 0 -- 0 ... 18.07.2018 10:20 CN=xxx,OU=...,DC=local login -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-0903: This account is deactivated. See your CA PAM Administrator. 0 -- 0 ...
What is the reason for this and how to prevent this issue?
Release: Component: CAPAMX
This issue might not happen while the user is connecting directly to the real IP/hostname of the PAM appliance instead of the Cluster VIP or Cluster URL
Please confirm if PAM’s system certificate subject is configured accordingly to match the URL of the VIP. Make sure the fields for Common Name and Alternate Subject Names basically reflect all the URLs used to access this PAM instance. Note, there is no line break / carriage return at the end of the list of the Alternate Subject Names
In CA PAM r3.1.3 and newer use the "JuniperProxyMode" feature: (JuniperProxyMode is a special flag that can be specified when accessing the PAM login screen so that the PAM server will send its certificate along with the data to the applet. The applet will then use this certificate and ignore the certificate from the HTTPS connection.)
configure the PAM Client to "Use System Proxy Settings" + "Ignore Proxy Certificate" in the Configuration Settings / Proxy tab.
if you use a Web Browser amend the URL to PAM with XSUITE_VPN_LOGIN=1