When trying to verify a target account in Active Directory, PAM will occasionally come back with error message "PAM-CM-3433: Certificate cannot be retrieved from the domain controller".

Privileged Access Manager, all versions

The Tomcat logs show the following errors, which indicates that one of the domain controllers did not have a certificate applied.

2022-09-27T18:29:53.159+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate Failed to retrieve certificate from DC at 'null, hostName=<DomainController3>.example.com, port=636', port=636
2022-09-27T18:29:53.159+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer Failed authentication to Active Directory using account <TargetAccountOnDomain>
 com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate cannot be retrieved from the domain controller
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1345)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1189)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyPasswordInActiveDirectory(WindowsDomainServiceTargetManager.java:793)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(WindowsDomainServiceTargetManager.java:756)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(WindowsDomainServiceTargetManager.java:1910)
  at com.cloakware.cspm.server.app.TargetManager.run(TargetManager.java:676)
 Caused by: com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate cannot be retrieved from the domain controller
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1340)
  ... 5 more

Please ensure all domain controllers within a domain are configured for LDAPS with the proper certificate applied.

If you have access to the openssl tool, you can run the following command:

openssl s_client -connect <domain controller>:636 

and a certificate should come back.