PAM configuration with Read Only Domain Controller

book

Article ID: 223672

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are implementing PAM on a site where there is only a "Read Only Domain Controller". We followed a Microsoft Article to allow password of PAM target accounts to be cached on this RODC but even with this configuration PAM is not able to change the password. So, the question is: what settings do we need to configure on this RODC in order to allow PAM to change password of target accounts?

Cause

The Read Only Domain Controller is redirecting the password update call to a Read-Write domain controller, which cannot be accessed from PAM due to firewall restrictions.

Environment

Release : 4.0

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

This is not a PAM problem. If PAM is meant to update passwords of Active Directory accounts, it needs to be connected to a domain controller that allows the updates.

The customer inquiring about this first contacted Microsoft Support to find out if there are configuration options on the Read-only controller to work around the problem, but the conclusion was that it will not work and that either the DC needs to be changed to read/write, or a firewall rule updated to allow PAM direct access to a read/write DC.

Additional Information

The tomcat log at log level Info shows the problem. The login with the current password to the Read-Only domain controller is successful, but then we see a time-out exception trying to connect to a different DC. The latter DC is not configured in PAM, and PAM wouldn't know its address. The Read-Only DC instructed the caller to connect to a Read-Write DC for the update, which is blocked by the firewall and fails with a 3-second connection timeout.

...

-----END CERTIFICATE-----
Sep 10, 2021 2:15:22 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
INFO: Successfully authenticated to Active Directory and set the last known good host to '<Read-only-DC-address>'
Sep 10, 2021 2:15:22 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager getDistinguishedName
INFO: Derived the Distinguished Name (DN) 'CN=xxxxx' from the Target Account having ID '37001'
Sep 10, 2021 2:15:22 PM com.cloakware.cspm.server.security.CSPMSSLSocketFactory init
INFO: CSPMSSLSocketFactory init()
Sep 10, 2021 2:15:25 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager updatePasswordInActiveDirectory
SEVERE: Failed with Naming Exception
javax.naming.CommunicationException: <Read-Write-DC-address>:636 [Root exception is java.net.SocketTimeoutException: connect timed out]

....