PAM-CM-0776 message rotating passwords for target domain accounts
search cancel

PAM-CM-0776 message rotating passwords for target domain accounts

book

Article ID: 191616

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Consider the following setup
  • A target account is defined in credential management pertaining to a AD domain. The account is able to change its own password
  • A Windows Remote target application is defined to manage that target account in a specific server. The Windows remote application is configured to consider the account as a Domain Account and the appropriate Domain Controller or DNS for the domain are specified in the corresponding tab in the target application definition
However, any change password operation fails with a Connection Timeout message.

Setting the Tomcat log to info, the following messages are indicative of the failure

Apr 22, 2020 2:26:11 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'XXXX'
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1171)
 at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1026)

Environment

CA PRIVILEGED ACCESS MANAGEMENT, versions 3.X onwards

Cause

This error occurs whenever CA PAM is unable to contact the AD server due to a filtered or closed port condition. Typically the tomcat log set to info shows the query to DNS of the domain zone returning the Domain Controllers for the Domain

Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: domain= 'xxx.com'; providerUrls= '[dns://x.x.x.x, dns://x.x.x.x]'; dnsQueryString= '_ldap._tcp.xxx.com'
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server1.xxx.com. [x.x.x.x]
Apr 22, 2020 2:08:03 PM com.cloakware.cspm.server.plugin.targetmanager.windows.DNSHelper getAdLoginUrls
INFO: found AD: server2.xxx.com. [x.x.x.x]

But afterward the PAM-CMN-0776 message is displayed

It is possible that these lines do not appear in tomcat log. Such will be the case if the target application for AD is configured as "Do not use DNS (target server is domain controller", as it will assume that whatever ip address the present server resolves to is already the Domain Controller. If the target application is so configured, CA PAM will not attempt to access any other Domain controller in the domain even if there are multiple and the present one is down, resulting in this error. Such a situation may happen if for instance the targetserver name is the domain itself (for instance example.com), the host ip defined for server example.com is also the domain name, and there are several DC servers that example.com resolves to. In this case PAM will try to use whatever example.com resolved to whenever the targetapplication was created and if that server is switched off this error will occur

Resolution

Since this is more than likely a ports problem check by means of the Networking tools of CA PAM that ports 389 (or 3268) and 636 (or 3279) of the domain controllers are open for communication from the appliance

For the second use case described, that is, a domain that resolved to multiple DC but the target application is trying to use the domain as the name of the server, change the Domain Controller Lookup section of the target Application to Retrieve DNS list, to Use following DNS Server or reactivate the Domain controller which is down