How to get list of target accounts that password is not verified and update the passwords

book

Article ID: 141361

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

PAM Target Accounts are getting locked out and the password goes out of sync (Not Verified).

 

Cause

Is there an easy way to get list of those "Not Verified" accounts and have their password updated?

Environment

Release : 3.2

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

In case if you have password policy set in PAM and also in your AD, you need to ensure PAM has more restrictive policy so it will be triggered first all the time.

If you have PVP configured in PAM, you also need to have scheduled job to rotate user password every x days to ensure the password is updated so they never expire from AD side.

In the following sample, there is "AD Password Rotation" Target Group that covers the AD users.

 

 

 

 

 

Also, you can set a scheduled job to run daily for the "Verification Failed" condition.

Obviously you should have a separate AD admin account that would update AD user password and not set to "User can change their own password".

 

 

In case if you want to get a list of locked account, there is no specific report to cover just that but you can use the "Passwords Not Verified" report.

If you want to get only the locked accounts, you can download Tomcat(catalina.out) log from PAM (Configuration -> Diagnostics -> Diagnostic Logs -> Download -> Tomcat -> Download) and look for keyword "data 775". 

 

Example in catalina.out log file:

INFO: Failed authentication to Active Directory using distinguished name 'CN=testuser1,OU=Test,DC=xyz,DC=com' for account 'testuser1' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v258

 

Hexadecimal 775 translates to Decimal 1909.

If you run "net helpmsg 1909" you will get the message "The referenced account is currently locked out and may not be logged on to." which explains the account is locked out.

Attachments