PAM Proxy account update fails with PAM-CM-3468: Error updating account credentials
search cancel

PAM Proxy account update fails with PAM-CM-3468: Error updating account credentials

book

Article ID: 113265

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

When updating an account password using the proxy windows service, an error message is displayed : "PAM-CM-3468: Error updating account credentials".
And  “5-ERROR_ACCESS_DENIED” is shown in the Proxy logs.


Ensure if you have the following behavior and settings:

  1. Installation and registration of proxy is successful and not affected. 
  2. PAM Proxy agent is running as 'Local System' or local account.
  3. No communication between PAM and proxy are affected we can see it can communicate. 
  4. Local user password rotation is failing with 5-Error-Access-Denied in windows. 
    1. Login to the Windows Server where the Proxy agent is installed and set the log level to FINE in the "C:\cspm_agent\cloakware\cspmclient\config\cspm_client_config" config file.
    2. Update the account password from PAM.
    3. Check the Proxy Agent logs (By default the logs are stored in C:\cspm_agent\cloakware\cspmclient\log)
  5. Password verification is successful, only password change fails(for all scenarios, force, user can change its own password, use another use to change password.) 
  6. Proxy is running in a different subnet than where PAM is running. 
  7. Server is not in the domain.
  8. If 'Address' field in target device section is changed to IP address, password change starts working with no error.

Environment

PAM 3.X, 4.X

Cause

There can be different reasons for this error message.
If the target server / device uses a FQDN as its address AND the version of the Proxy installed is different from version 4.5.3 (rev2) or 4.8.0 (rev2) then this is a known issue.

Any windows server which is in a workgroup and not assigned a FQDN can only work with proxy if proxy also has only it's hostname. So for any windows server to be a part of DNS server it is required that it has a FQDN but in case of a computer being in a workgroup usually the domain name is just concatenated to the hostname for DNS to be able to resolve it. DNS servers then are able to resolve the computer's hostname as well as FQDN to the correct IP address of the system, but this is where the proxy fails.

When a proxy gets registered it sends the IP address to PAM and PAM does a reverse lookup to find the FQDN, since DNS is configured with the FQDN PAM gets it and stores it in the DB. At this point if the device is already present no change is made to the values there but in case device is not present proxy registration triggers an automatic creation of the device with the FQDN. 

Now when we try to change the password the commands which proxy runs is with 'hostname\accountname' as prefix, here hostname is the value PAM holds in the 'Hostname' filed of the devices, and since the computer is in workgroup if the hostname provided in the command is FQDN it fails.

Resolution

  1. Go to Device > Manage Devices and edit the Device.
  2. Modify the Address Field and replace the FQDN address to an IP-address or (Hostname). Afterwards the account password update should work.