Trying to verify a Domain account with the right password and connected to the correct Domain controller results in the following error messages in the Tomcat log

2024-03-27T09:20:14.508+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.ADLdapContext.createLdapContext Exception when creating LDAP Context null
    java.security.PrivilegedActionException: java.security.PrivilegedActionException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52f, v4563 ]
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at com.cloakware.cspm.server.plugin.targetmanager.ADLdapContext.createLdapContext(ADLdapContext.java:95)

This is so even if it has been verified that the username and password were correct and there is connectivity to the Active Directory target application that the target account is defined for, and also that the user can independently log to Windows using its username and password.

In the Active Directory logs messages about incorrect Username and password are produced while the verifying the target account

CA PAM all versions

This error may occur when the target account which we are trying to rotate is a member of the Protected Users group. CA PAM does not support rotating or verifying passwords of users which are members of this special Windows group.

Remove the user from the Protected Users group

More information about the Protected Users group can be found in the following Microsoft Reference

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group