PAM and Protected Users Group from Windows

book

Article ID: 17076

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM) CA Privileged Access Manager (PAM)

Issue/Introduction



Can we use the Protected Users Group from Windows along with CA PAM?

Environment

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution

CA PAM is NOT compatible with the restrictions imposed on user accounts from the Protected Users group in Win2012 R2

 

Note, by default the Protected Users group in Win2012 R2 does not contain any users.

We tested RADIUS or LDAP authentication of the PAM Client against the DC using such user which is failing once the user is member of this group.

Also Password Change in Password Manager of such use account r is basically not working

Ditto refreshing or importing of an LDAP group is failing while the bind user is member of the Protected Users group.

Moreover RDP session initiation using the PAM Clients RDP applet fails while Terminal Server on the DC requires NLA (Kerberos / CredSSP) authentication with a user account from the Protected Users group.

Additional Information

See https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx for further details of these restrictions.