search cancel

LDAP Refresh Connections Are Inconsistent


Article ID: 203253


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)


When PAM LDAP integration is configured with multiple domain controllers and SSL communication, the LDAP refresh intermittently results in the following error. When it is configured to use non-SSL communication, it works consistently.


Privileged Access Manager 3.x


The inconsistent behavior is caused by one or more DCs in the environment not being properly configured for SSL communication. To confirm which DC caused the error, go to Configuration > Diagnostics > Diagnostic Logs, click on the Download tab, and click View Recent Log Entries next to Tomcat Logs. The following error can be found in the logs, which mentions the IP of the DC that caused the error.

Nov 10, 2020 4:57:59 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'PAMLDAPADMIN' Connection reset
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.convertToApplicationException(
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.createLDAPContext(
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyPasswordInActiveDirectory(
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(
    at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(
Caused by: javax.naming.CommunicationException: [Root exception is Connection reset]


As a workaround, take the domain controller out of the configuration so PAM will not communicate with it. Once the server has been properly configured for SSL communication, add it back.