One of the PAM servers will not connect to an AD. It is unable to establish any LDAPS connection.
There is no problem with the AD or network as other PAM servers in the cluster can connect to the same AD without problem.
The tomcat log, downloaded from the Configuration > Diagnostics > Diagnostic Logs > Download page, shows "Failed to add cert to keystore" errors, similar to the following:
Nov 09, 2020 6:13:18 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager getAndSaveSSLCertificate
WARNING: Failed to store certificate due to error 'Failed to add cert to keystore'
Nov 09, 2020 6:13:18 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'ABCDE'
com.cloakware.cspm.server.app.ApplicationException: Failed to add cert to keystore
An internal keystore used by Credential Management got corrupted, e.g. due to a temporary disk I/O problem.
This problem may require SSH debug access by PAM Support to remove the corrupted keystore and let it repopulate. If you encounter this problem and see the above details in the tomcat log, open a Support case and mention this knowledge document.
The PAM-CM-3432 error is generic and may be caused by other problems communicating with AD. Often they are on the AD controller side, not in PAM. This KB only covers the problem that results in the "Failed to add cert to keystore" errors shown above.