Failed to verify or update password of local Windows account in PAM via Windows Proxy due to 64-Invalid_operation and 1722-RPC_S_SERVER_UNAVAILABLE error
Article ID: 209957
Updated On:
Products
Issue/Introduction
We have tried to verify or update password of a target local account on the target Endpoint via Windows Proxy in PAM (Privileged Access Manager) Client, but both are failed.
When verifying password we got the following error dialog:
PAM-CM-0759: Failed to verify password with target. If this problem persists then please ask your Administrator to investigate.
When updating password we got the following error dialog:
PAM-CM-3468: Error updating account credentials.
Here is the environment set up
We have set loglevel parameter to FINE in the Windows Proxy's cspm_agent\cloakware\config\cspm_client_config.xml and I saw the following in the cspm_client_log.txt file
When verifying password
FINE: Fri March 05 01:14:26.233 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. Agent's own hostname: winproxy.pamlab.local
FINE: Fri March 05 01:14:26.233 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. User: tgsuser1, domain: cspm_dummy_value, server: xx.xx.xx.xx
FINE: Fri March 05 01:14:26.249 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. verifying account on remote host
WARNING: Fri March 05 01:14:28.561 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 64-Invalid_operation
INFO: Fri March 05 01:14:28.561 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. Complete verify account password
INFO: Fri March 05 01:14:28.561 UTC 2021 CSPMAgentServlet::processTask. Message to send: <?xml version="1.0" ?><eventReponse><eventId>1</eventId><statusCode>440</statusCode><errorMessage>64-Invalid_operation</errorMessage><content><extended_status></extended_status></content></eventReponse>
When updating password
FINE: Fri March 05 01:20:18.601 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Agent's own hostname: winproxy.pamlab.local
FINE: Fri March 05 01:20:18.601 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Admin user: CSPM_Agent_Account_32, user: tgsuser1, domain: cspm_dummy_value, server: xx.xx.xx.xx, services: []
FINE: Fri March 05 01:20:18.616 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Start update user account as admin
WARNING: Fri March 05 01:20:18.632 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Operation not successful, message: 1722-RPC_S_SERVER_UNAVAILABLE
INFO: Fri March 05 01:20:18.632 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Complete account password update
INFO: Fri March 05 01:20:18.632 UTC 2021 CSPMAgentServlet::processTask. Message to send: <?xml version="1.0" ?><eventReponse><eventId>1</eventId><statusCode>440</statusCode><errorMessage>1722-RPC_S_SERVER_UNAVAILABLE</errorMessage><content><extended_status></extended_status></content></eventReponse>
Environment
PRIVILEGED ACCESS MANAGEMENT 4.x
Windows Proxy 4.16.2 on Windows 2016
Target Endpoint OS: Windows 2016
Cause
SMB protocol has been disabled on the Target Endpoint
Resolution
Enable SMB2 protocol on the Target Endpoint server, i.e.
1. Login as local Administrator and launch "Windows PowerShell ISE"
2. Run the following command on the PawerShell prompt and check if EnableSMB2Protocol is set to true
Get-SmbServerConfiguration
3. Run the following command on the PowerShell prompt to set EnableSMB2Protocol to true
Set-SmbServerConfiguration -EnableSMB2Protocol $true
4. Restart Windows
Feedback
