Unable to enroll devices and accounts in CA PAM due to 4681: 5-ERROR_ACCESS_DENIED

book

Article ID: 197591

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to create new synchronized target accounts for local Windows accounts using a Windows Proxy target connector. The Windows target device shows a successful logon of the account from the Windows Proxy host when we try to save the account with option "Update both the Credential Manager Server and the target system" set, but the attempt still fails with a 5-ERROR_ACCESS_DENIED error.

Cause

Windows doesn't have the feature of a simple remote login just to see whether credentials work. The Windows Proxy makes a WNetAddConnection2() call, see https://docs.microsoft.com/en-us/windows/win32/api/winnetwk/nf-winnetwk-wnetaddconnection2a, to try to access a resource on the remote server with the credentials provided. For account verification we just use resource "\\<servername>". In case we have an IP configured as address in PAM we would be using "\\<IP>" .This normally is an empty folder with read access allowed.

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Logged on from remote using the target account, open Windows Explorer and try to access \\<address configured in PAM>. It should have no error and typically shows an empty folder. If there is an error due to a permission or other issue, resolve that problem.