search cancel

PAM-CM-0776: Unable to connect to client

book

Article ID: 190002

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Made some changes to the PAM Cluster so the Primary Site has been swapped with Secondary Site.
Then following symptoms started relating to the AD Target Accounts.

1. Unable to update target account to sync both ways.
2. When trying to verify target account, get communication failure error.
3. When adding a new target application, get PAM-CM-0769: Account update in progress, unable to process request.

Environment

Release : 3.x.x
Component : PRIVILEGED ACCESS MANAGEMENT

Cause

When you try to set the target account password to sync both ways, PAM will actually test with the target application to see if the password can be verified.
This is failing so the "Sync both ways" cannot be set.

The Communication failure error means there is network side of problem.

"PAM-CM-0769: Account update in progress, unable to process request." means there is already some pending updates to this account so the subsequent changes need to wait.

Tomcat catalina.out log file reports the following problem causing this.

May 01, 2020 10:10:10 AM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'admin1'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(SourceFile:1161)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(SourceFile:1016)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.a(SourceFile:698)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(SourceFile:661)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(SourceFile:1727)
 at com.cloakware.cspm.server.app.TargetManager.run(SourceFile:667)
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
 at java.net.PlainSocketImpl.socketConnect(Native Method)
 at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
 at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
 at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
 at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
 at java.net.Socket.connect(Socket.java:589)
 at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
 at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427)
 at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
 at com.cloakware.cspm.server.security.SSLCertificateRetriever$a.createSocket(SourceFile:108)
 at com.cloakware.cspm.server.security.SSLCertificateRetriever.getCertificate(SourceFile:75)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(SourceFile:1155)
 ... 5 more


Testing the AD's LDAPS port from PAM shows as filtered(Blocked).


The previous Primary Site PAM had this open so there was no problem.
When swapping the Primary Site with Secondary and the Secondary Site PAM nodes did not have this port hence the communication failure and other symptoms.

Resolution

Work with Network team to open up tcp 636 from PAM to AD.

Attachments