Active Directory target accounts in PAM are configured to a device called ldap.domain.com, which contains multiple domain controllers. PAM is sporadically failing to verify or rotate the credentials for Active Directory accounts, likely due to an issue with one of the DCs in the environment. Is it possible to know which DC PAM was connecting to when the error occurred?

Privileged Access Manager, all versions

When the Tomcat Log Level is set to Info, PAM will log the LDAPS communication with the domain controllers. As part of this communication, the domain controller will provide its certificate for identification. In the Tomcat logs, the following will be logged.

2023-05-17T21:50:42.621+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.security.CSPMTrustManager.checkServerTrusted CSPMTrustManager.checkServerTrusted certificate:
-----BEGIN CERTIFICATE-----
ABCD.....WXYZ
-----END CERTIFICATE-----

If there is a WindowsDomainServiceTargetManager error a few lines afterwards, then PAM had an issue communicating with that domain controller.

Copy the certificate text, including the begin/end certificate lines, then paste it in notepad and save as a cer file. Open the file and it will say the server hostname for that certificate. This is the domain controller which PAM was communicating with when the error occurred.