AD connector is not working properly with read timed out errors
search cancel

AD connector is not working properly with read timed out errors

book

Article ID: 369131

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

You are getting errors resetting/updating the password for AD (Active Directory) connector accounts that are updated by another account  You can validate passwords after synchronizing them manually with AD, but after the next failed password update attempt the verification will fail as well. Checking the account attributes and events on the AD side shows that the account password in fact got updated. Because PAM ran into an error and retained the old password, the account is out of sync and subsequent password verification attempts will fail.

Environment

Applies to any PAM implementation integrated with Active Directory.

Cause

The password update actually is successful. But PAM runs into a read timeout error while waiting for a response from AD. The tomcat log (download from Configuration > Diagnostics > Diagnostic Logs > Download) shows errors similiar to the following:

2024-06-04T13:48:25.479+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.LDAPModifyAttributesAction.performLDAPModifyAttributes Error modifying LDAP attributes: LDAP response read timed out, timeout used: 3000 ms.

In one known case the timeout was caused by AD trying to do a password complexity check, with the check timing out on the AD domain controller, causing the password update process to take slightly more than 10 seconds. This was much too long for the defaut read timeout of 3 seconds in PAM.

Resolution

The read timeout is configurable in the target application. If you see "LDAP response read timed out" messages in your tomcat log, try increasing the read timeout in the Active Directory target application, e.g. to 30 seconds as seen in the following screenshot:

 

If increasing the timeout does not resolve the problem and you continue to see the "read timed out" error shown above with the new timeout setting, the problem most likely is on the AD side. Please engage your AD administrator and review event logs on the AD domain controller that PAM connects to. Open a case with PAM Support if you conclude that there is a problem on the PAM side.