We recently upgraded to 3.3.2.99, and have CAPAM integrated with RSA on-demand RSA tokens for our vendors. We are getting complaints that the users are getting deactivated when trying to sign into CA PAM, when they know their pin is correct.

Release : 3.3.X

Component : PRIVILEGED ACCESS MANAGEMENT

The logs show the users had three failed login attempts in a row and their account is deactivated.  Sometimes they login with no problems and other times they run into this issue when they get deactivated right away.   

Intermittent failures of CAPAM RSA logins with multiple RSA servers can be caused by DNS issues. 

Three RSA servers are installed in the network.  From CAP{AM Configuration/Tools, Ping, Traceroute and Reverse DNS were tested to all of the RSA servers.

One server test resulted in a failure for Reverse Lookup.  This network issue could cause repeated failures when the login is sent to the problematic RSA server, which then causes a user deactivation in CAPAM.  If the login goes to the other two RSA servers, then there is no issue logging in.

The network team resolved the Reverse DNS Lookup problem, resolving the intermittent CAPAM login issues.