Failed to verify or update password of local Windows account in PAM via Windows Proxy due to 64-Invalid_operation and 1722-RPC_S_SERVER_UNAVAILABLE error

book

Article ID: 209957

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have tried to verify or update password of a target local account on the target Endpoint via Windows Proxy in PAM (Privileged Access Manager) Client, but both are failed.

When verifying password we got the following error dialog:

PAM-CM-0759: Failed to verify password with target. If this problem persists then please ask your Administrator to investigate.

When updating password we got the following error dialog:

PAM-CM-3468: Error updating account credentials.

Here is the environment set up

We have set loglevel parameter to FINE in the Windows Proxy's cspm_agent\cloakware\config\cspm_client_config.xml and I saw the following in the cspm_client_log.txt file

When verifying password

FINE: Fri March 05 01:14:26.233 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. Agent's own hostname: winproxy.pamlab.local
FINE: Fri March 05 01:14:26.233 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. User: tgsuser1, domain: cspm_dummy_value, server: xx.xx.xx.xx
FINE: Fri March 05 01:14:26.249 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. verifying account on remote host
WARNING: Fri March 05 01:14:28.561 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 64-Invalid_operation
INFO: Fri March 05 01:14:28.561 UTC 2021 CSPMAgentService::verifyWindowsAccountPassword. Complete verify account password
INFO: Fri March 05 01:14:28.561 UTC 2021 CSPMAgentServlet::processTask. Message to send: <?xml version="1.0" ?><eventReponse><eventId>1</eventId><statusCode>440</statusCode><errorMessage>64-Invalid_operation</errorMessage><content><extended_status></extended_status></content></eventReponse>

When updating password

FINE: Fri March 05 01:20:18.601 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Agent's own hostname: winproxy.pamlab.local
FINE: Fri March 05 01:20:18.601 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Admin user: CSPM_Agent_Account_32, user: tgsuser1, domain: cspm_dummy_value, server: xx.xx.xx.xx, services: []
FINE: Fri March 05 01:20:18.616 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Start update user account as admin
WARNING: Fri March 05 01:20:18.632 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Operation not successful, message: 1722-RPC_S_SERVER_UNAVAILABLE
INFO: Fri March 05 01:20:18.632 UTC 2021 CSPMAgentService::updateWindowsAccountPasswordWithServices. Complete account password update
INFO: Fri March 05 01:20:18.632 UTC 2021 CSPMAgentServlet::processTask. Message to send: <?xml version="1.0" ?><eventReponse><eventId>1</eventId><statusCode>440</statusCode><errorMessage>1722-RPC_S_SERVER_UNAVAILABLE</errorMessage><content><extended_status></extended_status></content></eventReponse>

 

Cause

SMB protocol has been disabled on the Target Endpoint

Environment

PRIVILEGED ACCESS MANAGEMENT 3.3.2
Windows Proxy 4.16.2 on Windows 2016
Target Endpoint OS: Windows 2016

Resolution

Enable SMB2 protocol on the Target Endpoint server, i.e.

1. Login as local Administrator and launch "Windows PowerShell ISE"
2. Run the following command on the PawerShell prompt and check if EnableSMB2Protocol is set to true

      Get-SmbServerConfiguration

3. Run the following command on the PawerShell prompt to set EnableSMB2Protocol to true

      Set-SmbServerConfiguration -EnableSMB2Protocol $true

4. Restart Windows      

Attachments