ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Debugging MSSQL target account problems

book

Article ID: 226819

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When trying to update an MSSQL target account, we get error

PAM-CM-0758: Failed to synchronize password with target. If this problem persists then please ask your Administrator to investigate.

We have the tomcat log level at INFO and looked for the target account name or target server name in the log, but couldn't find either. How can we debug problems like this on a busy system that also logs a lot of other messages, making it difficult to see which log message belongs to which activity?

Cause

The MSSQL target connector does not have verbose logging. All the work is done by the MSSQL JDBC driver.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Look for string "com.microsoft.sqlserver.jdbc" in the tomcat log. In this case the following severe message was logged:

Oct 21, 2021 9:13:06 PM com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd invoke
SEVERE: UpdateTargetAccountCmd.invoke -1: Password validation failed. The password for the user is too recent to change.
com.microsoft.sqlserver.jdbc.SQLServerException: Password validation failed. The password for the user is too recent to change.
 at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:216)

...

This made clear that the password could not be updated because it had not reached the minimum password age configured in the credential source (MS SQL). In general we recommend not to configure any minimum password age in the credential source for any credential managed by PAM.

This message was followed by a generic "UpdateTargetAccountCmd" exception, and after that we see information on the target account in a message logged at level INFO:

Oct 21, 2021 9:13:06 PM com.cloakware.cspm.server.app.impl.UpdateTargetAccountVerifiedFalseCmd validateParameters
INFO: UpdateTargetAccountDescriptorCmd.validate accountID:34674001

 

From this message we know that the ID of the target account for which the update failed is 34674001. This ID is not shown in the PAM UI. To confirm that this is the account we tried to update we can use API calls to get information on the account. E.g. the following remote CLI command would provide it:

./capam_command -n <pam server> -u <pam user> -p <password> cmdName=searchTargetAccount TargetAccount.ID=34674001

The Rest API can be used as well:

GET /api.php/v1/devices.json   -> use to get the ID of the MS SQL database device

GET /api.php/v1/devices.json/{id}/targetApplications  -> get the target application ID using the device ID found in the previous call

GET /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts/{accountId} -> get detailed information using the device, target application and target account IDs from above