search cancel

Account Verification fails - PAM-CM-3431: Distinguished Name (DN) must be specified.

book

Article ID: 215881

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

On verifying the AD Account customer encounteres this error  - PAM-CM-3431: Distinguished Name (DN) must be specified. The PAM UI contains a Distinguished Name

Environment

Release : 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

The Error message popup upon Account Verification looks like this 

The "Account Name" in the PAM UI Target Account screen and "User logon name" in AD User Properties did not match. Example screenshots shown below.

 

 

Resolution

The "User logon name" (aka samAccountName) in the AD (Account Properties) should match the "Account Name" in the PAM UI's Target Account. (Credetial èManage TargetsèAccounts)

Additional Information

During Account Verification, PAM at this version gets the Distinguished Name from the AD/LDAP using the Account Name in PAM UI and not using the Distinguished Name specified in PAM UI.  So the mismatch leads to the error- PAM-CM-3431: Distinguished Name (DN) must be specified.

Attachments