PAM-CM-0776 message rotating passwords for target domain accounts
book
Article ID: 191616
calendar_today
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
Consider the following setup
A target account is defined in credential management pertaining to a AD domain. The account is able to change its own password
A Windows Remote target application is defined to manage that target account in a specific server. The Windows remote application is configured to consider the account as a Domain Account and the appropriate Domain Controller or DNS for the domain are specified in the corresponding tab in the target application definition
However, any change password operation fails with a Connection Timeout message.
Setting the Tomcat log to info, the following messages are indicative of the failure
Apr 22, 2020 2:26:11 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer SEVERE: Failed authentication to Active Directory using account 'XXXX' com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client. at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1171) at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1026)
Environment
CA PRIVILEGED ACCESS MANAGEMENT, versions 3.X onwards
Cause
This error occurs whenever CA PAM is unable to contact the AD server due to a filtered or closed port condition. Typically the tomcat log set to info shows the query to DNS of the domain zone returning the Domain Controllers for the Domain
But afterward the PAM-CMN-0776 message is displayed
Resolution
Since this is more than likely a ports problem check by means of the Networking tools of CA PAM that ports 389 and 636 of the domain controllers are open for communication from the appliance