PAM-CM-0776 message rotating passwords for target domain accounts
Article ID: 191616
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
Consider the following setup
Setting the Tomcat log to info, the following messages are indicative of the failure
Apr 22, 2020 2:26:11 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'XXXX'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1171)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1026)
- A target account is defined in credential management pertaining to a AD domain. The account is able to change its own password
- A Windows Remote target application is defined to manage that target account in a specific server. The Windows remote application is configured to consider the account as a Domain Account and the appropriate Domain Controller or DNS for the domain are specified in the corresponding tab in the target application definition
Setting the Tomcat log to info, the following messages are indicative of the failure
Apr 22, 2020 2:26:11 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'XXXX'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1171)
at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1026)
Environment
CA PRIVILEGED ACCESS MANAGEMENT, versions 3.X onwards
Cause
This error occurs whenever CA PAM is unable to contact the AD server due to a filtered or closed port condition. Typically the tomcat log set to info shows the query to DNS of the domain zone returning the Domain Controllers for the Domain
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: domain= 'xxx.com'; providerUrls= '[dns://1.2.3.4, dns://5.6.7.8]'; dnsQueryString= '_ldap._tcp.xxx.com'
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server1.xxx.com. [1.2.3.4]
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server2.xxx.com. [5.6.7.8]
But afterward the PAM-CMN-0776 message is displayed
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: domain= 'xxx.com'; providerUrls= '[dns://1.2.3.4, dns://5.6.7.8]'; dnsQueryString= '_ldap._tcp.xxx.com'
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server1.xxx.com. [1.2.3.4]
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server2.xxx.com. [5.6.7.8]
But afterward the PAM-CMN-0776 message is displayed
Resolution
Since this is more than likely a ports problem check by means of the Networking tools of CA PAM that ports 389 and 636 of the domain controllers are open for communication from the appliance
Feedback
Yes
No
Powered by
