Reason for PAM A2A 401 issue on a password retrieval request
Article ID: 231187
Updated On:
Products
Issue/Introduction
A2A client request fails with error code 401. Error code 401 is a client error code when A2A client "Failed to authenticate with the Password Authority" (https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-0-1/reference/messages-and-log-formats/credential-manager-client-return-codes.html service"). This document discusses this failure and a safety net in detail.
Environment
Release : 4.1.X
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
On an A2A client request to PAM, the current finger print for the A2A client does not match the fingerprint that PAM has in its database captured during a A2A client registration earlier.
Resolution
Open a Support case when you have a A2A 401 error in your A2A client ;logs. Attach to the case your PAM logs.bin file for support engineer to analyze and point to you the log footprint that calls.
Note when PAM encounters a finger mismatch like in this case, it tries a Reverse DNS Lookup using IP address of the A2A request and if a match is found then then A2A request is authenticated and A2A 401 return is prevented. Essentially, the server where PAM is configured should allow for Reverse DNS Lookup.
Additional Information
The safety net in PAM for this situation is to to do a Reverse DNS lookup using the IP address where A2A request originated from. But in this case customer has not configured for a Reverse DNS Lookup hence 401 is returned to the client.
Note currently when a finger print mismatch is detected by PAM and a Reverse DNS Lookup helps authenticate the A2A request, PAM will not stash the new A2A fingerprint in PAM database. Only way to get a fingerprint into PAM database is to re-register the A2A client with PAM.
The A2A client fingerprint is comprised of 1. MAC address 2. Machine ID.
Below is an example of the logged fingerprint for the server address say: 10.xxx.xx.xxx. This is an example of the situation
where the current server fingerprint did not match the fingerprint that the server was registered to PAM with. Either the Mac address and/or the machine Id change detected after an earlier registration.
Nov 30, 2021 3:20:18 PM com.cloakware.cspm.server.security.SecurityContextFactory createClientSecurityContext
INFO: SecurityContextFactory.createClientSecurityContext Failed: Invalid request server - fingerprint:
<?xml version="1.0" encoding="utf-8" ?>
<nodeid>
<macaddr>X1:X2:X3:X4:X5:X6</macaddr>
<macaddr>Y1:Y2:Y3:Y4:Y5:Y6</macaddr>
<machineid>4_3acb0bdc_0_0-Intel-PIIX4_Internal_IDE_Channel</machineid>
<applicationtype>cspm</applicationtype>
</nodeid>
Feedback
