Active Directory Update or Verify communication failure for all accounts

book

Article ID: 223464

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Password resets for Target accounts are failing and we are unable to create new PAM target accounts for users. Any attempt to verify or update an Active Directory target account from the PAM UI fails after a while with a "Communication Failure" error.

The tomcat log shows timeout errors in class SSLCertificateRetriever.java.

Cause

All calls into Active Directory get hung on a common lock.

Environment

Affected Releases : 3.4.1-3.4.3, 4.0.0

Resolution

This problem is fixed in PAM 3.4.4+, see the following item on page Resolved Issues in 3.4.4:

2707978 DE503873 
Over time, attempts to update and verify target accounts stop working and the PAM administrator receives a "communication failure" error. Additionally, accessing session recordings causes excessively high memory usage.

As of Sept 8, 2021, upgrade to release 3.4.4 or 3.4.5 will resolve the problem. For PAM 4.0, the first maintenance release, 4.0.1 (ETA End of September 2021) will include a fix.

For a standalone node, a reboot should resolve the problem, at least temporarily.

If observed on a cluster primary site node, either reboot the node in the active cluster (not advisable if there are two primary cluster nodes), or turn the cluster off, and then turn it on again.

Additional Information

The tomcat log, which can be downloaded from Configuration > Diagnostics > Diagnostic Logs > Download will show timeout errors similar to the following. Note specifically the time-out in the SSLCertificateRetriever.java class on line 75.

Sep 08, 2021 1:31:21 PM com.cloakware.cspm.server.app.impl.TargetManagerFactory runTargetManager
WARNING: Stack trace of Target Manager thread at time of time-out interrupt:
com.cloakware.cspm.server.security.SSLCertificateRetriever.getCertificate(SSLCertificateRetriever.java:75)
com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1259)
com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1120)
com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyPasswordInActiveDirectory(WindowsDomainServiceTargetManager.java:732)
com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(WindowsDomainServiceTargetManager.java:695)
com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(WindowsDomainServiceTargetManager.java:1831)
com.cloakware.cspm.server.app.TargetManager.run(TargetManager.java:668)