Configuring PAM to use Windows Proxy to manage Domain and Local accounts

book

Article ID: 131161

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

When the Windows Proxy is installed on a Windows server it may be used to manage the Local accounts.  If you install it on a Domain Controller it may be used to manage accounts in the Domain, in sub-Domains, or local accounts on a Domain Member.  This document will demonstrate how to configure domain accounts and local accounts.

Environment

PAM 3.2.4
Windows 2016 Domain Controller - marxbrothers.lab
  voged01-L22077.lvn.broadcom.net
Windows 2016 Domain Controller - na.marxbrothers.lab
  voged01-L23954.lvn.broadcom.net
Windows 2016 Domain Controller - eur.marxbrothers.lab
  voged01-L22939.lvn.broadcom.net
Windows 2012 R2 Domain Member 
  voged01-L23953.lvn.broadcom.net

The following users are in the AD
[email protected] CN=Julius Marx,CN=Users,DC=marxbrothers,DC=lab
[email protected] CN=Leonard Marx,CN=Users,DC=marxbrothers,DC=lab
[email protected] CN=Arthur Marx,CN=Users,DC=na,DC=marxbrothers,DC=lab
[email protected] CN=Milton Marx,CN=Users,DC=na,DC=marxbrothers,DC=lab
[email protected] CN=Herbert Marx,CN=Users,DC=na,DC=marxbrothers,DC=lab
[email protected] CN=Herbert Marx,CN=Users,DC=eur,DC=marxbrothers,DC=lab

The following local users are on voged01-L23953:
voged01
voged02

The 3.2 Windows Proxy was installed on the primary Domain Controller, voged01-l22077

 

Resolution

After installing the 3.2 Windows Proxy on the the primary Domain Controller, the PAM Proxy service was started, following changing the PAM proxy service's Log On credentials go a domain user.  In this case [email protected] was used, after making sure that the user was in the Domain Admin Group.


With the proxy running with the domain credentials specified, it will be possible to configure PAM to manage a domain account.  First enable the Windows Proxy:

Next configure the devices for the domain:

Next create a target application using the Windows Proxy application type.

Configure a Target Account using the Target Application just configured.

With no problems encountered the account will show as in sync.  If it does not work, duplicate the problem after setting the Tomcat Log Level = Info on the Config --> Diagnostics page.  After duplicating the problem search the Tomcat Log for messages related to the problem.

Management of Local Accounts on a domain member will be similar.  It will require creation another Windows Proxy Target Application, this one specifying Local Account for the Account Type.

It will also be necessary to add the user specified for the PAM Proxy service Log On user to the Administrator group of the Domain member whose local users are to be managed.  This is done on the Domain member using Computer Management.

Once the Proxy Login user is added to the Administrators group on the Domain member it will be possible to add Local Accounts on that server to PAM and put them in sync.

Attachments