PAM A2A Return Code 446 and 447 for PowerShell Scripts
search cancel

PAM A2A Return Code 446 and 447 for PowerShell Scripts

book

Article ID: 275599

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

While trying to configure and test using A2A along with powershell scripts we are running into issues protecting the account with the  "Check Execution Path" and "Check File Path" options. With these options enabled we see the following errors.

 

PS C:\cspm\cloakware\cspmclient\examples> C:\cspm\cloakware\cspmclient\examples\example.ps1 ps1alias
Return Code: 446
User ID: null
Password: null

error.code.446=Authorization mapping validation error. Invalid execution path specified for request script.
error.code.447=Authorization mapping validation error. Invalid file path specified for request script.

Environment

Release : 4.x

Cause

Reviewing the logs we can see

023-11-01T12:32:55.983+0000 INFO [TP2] com.cloakware.cspm.server.app.impl.RegisterRequestServerCmd.validateParameters RegisterRequestServerCmd.validateParameters hostname:10.10.10.10, ip:10.10.10.10,, port:null, version:4.12.3, clientType:java osName:Windows 10, osVersion:10.0, osArch:amd64 fipsEnabled:true clientToken:ace328afdf7c13019f3e11824cb3c399 fingerprint:eXgTVG5ej9yMW9WvYZi4tTcSBA4= nodeIdXML:<?xml version="1.0" encoding="utf-8" ?><nodeid><macaddr>42:01:0A:FD:25:A0</macaddr><machineid></machineid><applicationtype>cspm</applicationtype></nodeid>
2023-11-01T12:32:55.988+0000 INFO [TP2] com.cloakware.cspm.server.app.impl.GetScriptCredentialsCmd.validateParameters hostname:10.10.10.10, ip:10.10.10.10, port:null, version:4.12.3, clientType:java osName:Windows 10, osVersion:10.0, osArch:amd64 fipsEnabled:true, clientToken:ace328afdf7c13019f3e11824cb3c399 fingerprint:eXgTVG5ej9yMW9WvYZi4tTcSBA4= nodeIdXML:<?xml version="1.0" encoding="utf-8" ?><nodeid><macaddr>00:00:00:00:00:00</macaddr><machineid></machineid><applicationtype>cspm</applicationtype></nodeid>, targetAliasName=ps1alias, scriptName=powershell.exe, scriptFilePath=C:\Windows\System32\WindowsPowerShell\v1.0, scriptExePath=C:\cspm\cloakware\cspmclient\examples, scriptHash=78d990d776f078517696a2415375ac9ebdf5d49a, executionUID=<My User>
2023-11-01T12:32:55.994+0000 INFO [TP2] com.cloakware.cspm.server.app.impl.GetScriptCredentialsCmd.checkForGroupBasedScriptAuth No script in DB named powershell.exe. Checking request groups using a dummy script
2023-11-01T12:32:55.998+0000 INFO [TP2] com.cloakware.cspm.server.app.impl.GetScriptCredentialsCmd.checkForGroupBasedScriptAuth No script in DB named powershell.exe. Checking request groups using a dummy script
2023-11-01T12:32:56.004+0000 WARNING [TP2] com.cloakware.cspm.server.app.impl.GetScriptCredentialsCmd.invoke GetScriptCredentials failed to retrieve credentials for request { targetAliasName=ps1alias, scriptName=powershell.exe, scriptFilePath=C:\Windows\System32\WindowsPowerShell\v1.0, scriptExePath=C:\cspm\cloakware\cspmclient\examples, executionUID=<My User>, requestServerHostname=10.10.10.10, clientType=java, osName=Windows 10, osVersion=10.0, osArchitecture=amd64, version=4.12.3, hash=78d990d776f078517696a2415375ac9ebdf5d49a, reason:GetScriptCredentials.invoke script authorization not found for script name.}

Resolution

All the important information can be found in the Tomcat diagnostic logs {catalina.out} under Configuration>Diagnostics>Download Recent Log Entries.

 { targetAliasName=ps1alias, scriptName=powershell.exe, scriptFilePath=C:\Windows\System32\WindowsPowerShell\v1.0, scriptExePath=C:\cspm\cloakware\cspmclient\examples, executionUID=<My User>, requestServerHostname=10.10.10.10, clientType=java, osName=Windows 10, osVersion=10.0, osArchitecture=amd64, version=4.12.3, hash=78d990d776f078517696a2415375ac9ebdf5d49a, reason:GetScriptCredentials.invoke script authorization not found for script name.}

 

Configure the following based on this example

 

 

 

 

 

Powered by Wolken Software