Error when logging from PAM: The logon attempt failed

book

Article ID: 143272

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to connect a stand alone Windows 2012R2 Server where RDP has been enabled, the following message is obtained:

"The logon attempt failed. 
The credentials that were used to connect to server did not work."

However, the remote device was set up according to the documentation, and so was a target account with its password, and it has been verified that this target account with its password can log in to the remote system outside PAM.

The target account with its password has been assigned to the CA PAM user trying to do the access via a policy, and connectivity to the remote RDP server is just fine.

Under these conditions autologin to the remote server should be possible, as the username and password retrieved from the credentials database should be injected, but unfortunately the message above is consistently being obtained and no login is possible for the user connected to PAM.

 

Cause

In order to be able to retrieve the username and password from the credentials database it is necessary that the CA PAM user to whom the policy has been assigned owns the right or is part of a group which has been given the right to View Account Passwords in the Credential Management database.

Getting the password at login time to do autologin is formally equivalent to viewing it, so if the right over the credential management is not there for the user under consideration, retrieving the password will fail and the error message indicated will be displayed.

The retrieval attempt will also result in a message in Tomcat stating that the viewPassword action cannot be completed due to insufficient rights.

Environment

CA PAM all versions

Resolution

Make sure that the user trying to do the access has the viewAccountPassword in credential management assigned, either directly or through a credential management group that he is part of