PAM-CM-3432: Cannot connect to a domain controller on the specified domain
search cancel

PAM-CM-3432: Cannot connect to a domain controller on the specified domain

book

Article ID: 203589

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

One of the PAM servers will not connect to an AD. It is unable to establish any LDAPS connection.

There is no problem with the AD or network as other PAM servers in the cluster can connect to the same AD without problem.

The tomcat log, downloaded from the Configuration > Diagnostics > Diagnostic Logs > Download page, shows "Failed to add cert to keystore" errors, similar to the following:

Nov 09, 2020 6:13:18 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager getAndSaveSSLCertificate
WARNING: Failed to store certificate due to error 'Failed to add cert to keystore'
Nov 09, 2020 6:13:18 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
SEVERE: Failed authentication to Active Directory using account 'ABCDE'
com.cloakware.cspm.server.app.ApplicationException: Failed to add cert to keystore

Cause

An internal keystore used by Credential Management got corrupted, e.g. due to a temporary disk I/O problem.

Resolution

This problem may require SSH debug access by PAM Support to remove the corrupted keystore and let it repopulate. If you encounter this problem and see the above details in the tomcat log, open a Support case and mention this knowledge document.

Additional Information

The PAM-CM-3432 error is generic and may be caused by other problems communicating with AD. Often they are on the AD controller side, not in PAM. This KB only covers the problem that results in the "Failed to add cert to keystore" errors shown above.