Password change failing for multiple servers sharing username in CA PAM

book

Article ID: 226012

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Let's assume the following scenario

  • A device group comprising several servers is defined
  • For each one of these machines, the same target account and target application is defined
  • A Password view policy is in use for all machines so that the password is changed every time it is viewed or checked in
  • The device group containing the servers has one or several credential sources corresponding to the target account(s) and target application(s) defined for the different servers. Note that since the target account and target application for all servers have the same name, they will be difficult to differentiate when adding them all as credential sources

The goal for the customer is such that the password will be updated according to the Password View Policy on all machines each time one of the conditions for password change is met

However,this does not work:

  • Starting with all accounts verified, one views or logs in into one of the machines. This works
  • On logging out or checking in the password, the password is updated, according to the Password view Policy
  • However, trying to log in later on to any of the machines in the device group fails

Cause

This is because when we assign a credential source this is linked to a specific machine through the target account and target application. Hence, if I log in to one machine using the username and password provided by the credential source, then I log out and the password is changed, that will only be done in the machine to which the targetaccount and targetapplication specified in the credential source belong, but not the rest of the machines in the device group.

Next time I try to log in to one of the machines in the group, unless it is the one to which the credential source is connected, they will still have the old password, so login will fail.

Environment

CA PAM multiple versions

Resolution

The easiest option in this case where we have the same targetaccount and targetapplication for multiple machines, is to define a compound target account

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/add-target-accounts-and-aliases.html

Then assign the compound target account as the credential source for the device group.

The way this works, if the password for the compound target account is changed, that will trigger a password change for the same account in all servers listed as members of the compound account.

Take into account, however, that updating the account password in all servers in a target compound account may take a considerable amount of time if their number is large