PAM-CM-3433 Intermittently Occurring When Verifying AD Accounts
search cancel

PAM-CM-3433 Intermittently Occurring When Verifying AD Accounts

book

Article ID: 252325

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When trying to verify a target account in Active Directory, PAM will occasionally come back with error message "PAM-CM-3433: Certificate cannot be retrieved from the domain controller".

Environment

Privileged Access Manager, all versions

Cause

The Tomcat logs show the following errors, which indicates that one of the domain controllers did not have a certificate applied.

2022-09-27T18:29:53.159+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate Failed to retrieve certificate from DC at 'null, hostName=<DomainController3>.example.com, port=636', port=636
2022-09-27T18:29:53.159+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer Failed authentication to Active Directory using account <TargetAccountOnDomain>
 com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate cannot be retrieved from the domain controller
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1345)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectoryServer(WindowsDomainServiceTargetManager.java:1189)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyPasswordInActiveDirectory(WindowsDomainServiceTargetManager.java:793)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.verifyCredentials(WindowsDomainServiceTargetManager.java:756)
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.performUpdate(WindowsDomainServiceTargetManager.java:1910)
  at com.cloakware.cspm.server.app.TargetManager.run(TargetManager.java:676)
 Caused by: com.cloakware.cspm.server.app.ApplicationException: PAM-CM-3433: Certificate cannot be retrieved from the domain controller
  at com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.getAndSaveSSLCertificate(WindowsDomainServiceTargetManager.java:1340)
  ... 5 more

Resolution

Please ensure all domain controllers within a domain are configured for LDAPS with the proper certificate applied.

Powered by Wolken Software