PAM and Protected Users Group from Windows

Article Id: 17076

Status: Published

Updated On: 27-06-2019 21:48

Legacy Id: TEC1647395

Products:

CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM)

Issue/Introduction:

Can we use the Protected Users Group from Windows along with CA PAM?

Environment:

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution:

CA PAM is NOT compatible with the restrictions imposed on user accounts from the Protected Users group in Win2012 R2

Note, by default the Protected Users group in Win2012 R2 does not contain any users.

We tested RADIUS or LDAP authentication of the PAM Client against the DC using such user which is failing once the user is member of this group.

Also Password Change in Password Manager of such use account r is basically not working

Ditto refreshing or importing of an LDAP group is failing while the bind user is member of the Protected Users group.

Moreover RDP session initiation using the PAM Clients RDP applet fails while Terminal Server on the DC requires NLA (Kerberos / CredSSP) authentication with a user account from the Protected Users group.

Additional Information:

See https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx for further details of these restrictions.