PAM-CM-0776 message rotating passwords for target domain accounts
search cancel

PAM-CM-0776 message rotating passwords for target domain accounts

book

Article ID: 191616

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Consider the following setup
  • A target account is defined in credential management pertaining to a AD domain. The account is able to change its own password
  • A Windows Remote target application is defined to manage that target account in a specific server. The Windows remote application is configured to consider the account as a Domain Account and the appropriate Domain Controller or DNS for the domain are specified in the corresponding tab in the target application definition
However, any change password operation fails with a Connection Timeout message.

Setting the Tomcat log to info, the following messages are indicative of the failure

Apr 22, 2020 2:26:11 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'XXXX'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1171)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1026)

Environment

CA PRIVILEGED ACCESS MANAGEMENT, versions 3.X onwards

Cause

This error occurs whenever CA PAM is unable to contact the AD server due to a filtered or closed port condition. Typically the tomcat log set to info shows the query to DNS of the domain zone returning the Domain Controllers for the Domain

Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: domain= 'xxx.com'; providerUrls= '[dns://x.x.x.x, dns://x.x.x.x]'; dnsQueryString= '_ldap._tcp.xxx.com'
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server1.xxx.com. [x.x.x.x]
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server2.xxx.com. [x.x.x.x]

But afterward the PAM-CMN-0776 message is displayed

Resolution

Since this is more than likely a ports problem check by means of the Networking tools of CA PAM that ports 389 (or 3268) and 636 (or 3279) of the domain controllers are open for communication from the appliance