We created a policy to allow a group of users to access a Web Portal service. When a user in the log logs on to PAM and launches the Web Service, it launches a browser, but never connects to the Web service. If auto-logon is configured, the launched browser will show "Please wait, logging in..." for a while. Eventually there will be a "Login failed" message with text "Auto login timeout expired, possibly due to wrong credentials. Please contact your administrator." In the session logs we find PAM-CMN-1043 messages suggesting that PAM denied the web portal connection because the target host/IP does not match an entry in the web portal's access list. However, if we define an access policy for an individual user in the user group, the Web Portal works just fine.
Release : 3.2
Component : PRIVILEGED ACCESS MANAGEMENT
This could be observed on any currently supported PAM release.
Web Portal services have an Access List configuration, see e.g. documentation page https://docops.ca.com/ca-privileged-access-manager/3-2-5/en/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/set-up-access-to-a-target-device/create-tcp-udp-services-to-access-a-device/configure-a-service-to-access-a-web-portal
This access list is only evaluated when access to the web service is implicit, specifically through a policy between a user group and target device or device group. In that case, access will be denied if the target device is not covered in the access list defined in the Web Portal service.
For individual user policies, the access list is not needed, because the PAM administrator explicitly granted the specific user access.
This is an expected error if the Web Portal tries to connect to a host that is not allowed per access list in the Web Portal service definition.
Edit the TCP/UDP Web Portal service and add entries to the access list as needed. The wildcard character (*) can be used. If only this character is present, access to any target web service is allowed.