search cancel

Passwords are not reliably rotating for account whose dual auth request expired

book

Article ID: 190297

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Administrative users must use dual authorization to check out their administrative user ID. 
The PVP is configured to change the password 12 hours later.  The scheduled job checks in the account, but it fails to rotate the password.

The Account Passwords Update Attempts report indicates that the password change for the account was successful but also a message PAM-CM-0769: Account update in progress, unable to process request.

The next time that account's password is checked out, the login fails.  The workaround is that a Master Account rotates the password, which allows the user to check-in the account causing the password to be changed, then the user can check-out the account again, and the login succeeds.

Why is the password change failing when the account's dual auth request expires?

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Setup different times to run the two jobs (check-checking and dual-authorization expiration).

On PVP Policy Basic Info "Check-out/Check-In" and in Dual-Authorization can setup time of job and if setup for example with 720 minutes (12 hours), this  can set the checkin/dual auth for the same time and whats mentioned in the documentation is correct but if you set like that then its expected to see 2 jobs in schedule job reports with one success and one in progress message (PAM-CM-0769: Account update in progress, unable to process request) Users don't need to worry about that message its just an informative message why that job is marked as failed.