CA PRIVILEGED ACCESS MANAGEMENT, versions 3.X onwards
This error occurs whenever CA PAM is unable to contact the AD server due to a filtered or closed port condition. Typically the tomcat log set to info shows the query to DNS of the domain zone returning the Domain Controllers for the Domain
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: domain= 'xxx.com'; providerUrls= '[dns://x.x.x.x, dns://x.x.x.x]'; dnsQueryString= '_ldap._tcp.xxx.com'
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server1.xxx.com. [x.x.x.x]
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server2.xxx.com. [x.x.x.x]
But afterward the PAM-CMN-0776 message is displayed
It is possible that these lines do not appear in tomcat log. Such will be the case if the target application for AD is configured as "Do not use DNS (target server is domain controller", as it will assume that whatever ip address the present server resolves to is already the Domain Controller. If the target application is so configured, CA PAM will not attempt to access any other Domain controller in the domain even if there are multiple and the present one is down, resulting in this error. Such a situation may happen if for instance the targetserver name is the domain itself (for instance example.com), the host ip defined for server example.com is also the domain name, and there are several DC servers that example.com resolves to. In this case PAM will try to use whatever example.com resolved to whenever the targetapplication was created and if that server is switched off this error will occur
Since this is more than likely a ports problem check by means of the Networking tools of CA PAM that ports 389 (or 3268) and 636 (or 3279) of the domain controllers are open for communication from the appliance
For the second use case described, that is, a domain that resolved to multiple DC but the target application is trying to use the domain as the name of the server, change the Domain Controller Lookup section of the target Application to Retrieve DNS list, to Use following DNS Server or reactivate the Domain controller which is down