We have Active Directory target accounts that run services on Windows hosts. We are managing the account password with PAM and therefore need to update the services when the password is changed. But when we run a service discovery using a Windows Proxy that has access to the target server, no services are discovered.
 

Release : Applies to any PAM release as of June 2023.

Checking the Windows Proxy logs, C:\cspm_agent\cloakware\cspmclient\log\cspm_client_log.txt, after temporarily changing the log level in ..\config\cspm_client_config.xml to "FINE" and restarting the service, we find that the service discovery is done for the wrong account. The user name the Proxy is trying to discover services for is the UPN of the service account that is configured as "Use the following account to change password". This only happens when the account itself does not have a UPN. 

Active Directory users should have a UPN. Most likely this was missed by mistake or accident. Adding the UPN configuration in Active Directory should resolve the problem. It may be necessary to update the account, or re-create the account, to get the PAM database updated with the new UPN. From that point on service discovery should work.

As of June 2023 an internal defect is open with PAM Engineering to look into getting service discovery to work w/o having a UPN.