Error "PAM-CMN-1176: A potential tampering attempt has been detected, the end-user's local system may be compromised. Session will be terminated." obtained during LDAP Synchronization
search cancel

Error "PAM-CMN-1176: A potential tampering attempt has been detected, the end-user's local system may be compromised. Session will be terminated." obtained during LDAP Synchronization

book

Article ID: 259793

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Sometimes, running an LDAP synchronization in CA PAM ends up in error

PAM-CMN-1176: A potential tampering attempt has been detected, the end-user's local system may be compromised. Session will be terminated.

and the PAM Client (if the synchronization is launched from a PAM Client) is terminated

Following this error, subsequent synchronizations end up with the same error

Environment

CA PAM all releases

Cause

Error is due to the presence of a malformed attribute in one of the users being imported, which causes a false tampering alert

If this is the root cause of the problem, a sequence of messages similar to the following will be present just before the one causing the end of the synchronization and disconnection of the CA PAM Client:

2023/02/07 15:27:12,super,admin, --,TAP Administrators, --, --, --,10.XXX.198.129,10.XXX.198.129, --, --, --, --, --,"PAM-CMN-1176: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Session will be terminated.",0, --,,0
2023/02/07 15:27:11,super,admin, --,TAP Administrators, --, --, --,10.XXX.198.129,10.XXX.198.129, --, --, --, --, --,"PAM-CMN-0622: Import Error For LDAP Group CN=XXX,OU=XXX,DC=XXX,DC=XX: PAM-LDAP-0035: Binding to domain DC=XXX,DC=lXX failed. Invalid LDAP admin password configured.",0, --,,0
2023/02/07 15:27:11,super,admin, --,TAP Administrators, --, --, --,10.XXX.198.129,10.XXX.198.129, --, --, --, --, --,"PAM-CMN-0622: Import Error For LDAP Group CN=XXX,OU=XXX,DC=XXX,DC=XX: PAM-LDAP-0037: Exception occurred while processing a search on entity DC=XXX,DC=XX: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 532, v3839 ]",0, --,,0

Or 

2023/02/07 15:27:11,super,admin, --,TAP Administrators, --, --, --,10.XXX.198.129,10.XXX.198.129, --, --, --, --, --,"PAM-CMN-0622: Import Error For LDAP User CN=XXX,OU=XXX,DC=XXX,DC=XX: PAM-LDAP-0037: Invalid e-mail address

The problem is that one attribute of one of the users being onboarded contains a character which cannot be correctly processed. For isntance, let's imagine an e- mail of the type [email protected]@mydomain.com, where the @ appears twice

Resolution

Many times the error messages give information about what attribute is failing. For instance the double @ may cause the product to believe we are trying to pass to it a spoofed domain.