Local Windows account management via a Windows Proxy fails with a 1792-Invalid_operation error
Article ID: 186325
Updated On: 03-11-2020
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
We are not able to manage local Windows target accounts on domain servers using a Windows Proxy installed on another domain member. When we try to change the target account from unsynchronized to synchronized, we see the following error in the Windows Proxy log:
CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1792-Invalid_operation
CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1792-Invalid_operation
Environment
This applies to any PAM environment using the Windows Proxy target connector.
Cause
Windows error 1792 is ERROR_NETLOGON_NOT_STARTED
Checking the Windows event logs on the target server showed the following event at the time the account tried to logon from the Windows Proxy host:
Failure Information:
Failure Reason: The NetLogon component is not active.
Status: 0xC0000192
Sub Status: 0x0
Checking the Windows event logs on the target server showed the following event at the time the account tried to logon from the Windows Proxy host:
Failure Information:
Failure Reason: The NetLogon component is not active.
Status: 0xC0000192
Sub Status: 0x0
Resolution
To allow the PAM Windows Proxy installed on one host to manage local accounts on another host, the Netlogon service needs to be running on the target server and allow remote login of the managed accounts from the host where the Windows Proxy is installed.
Feedback
Yes
No
Powered by
