Inconsistent dynamic addition of target accounts for device access
search cancel

Inconsistent dynamic addition of target accounts for device access

book

Article ID: 369784

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

RDP servers are configured as members of a device group. The device group has AD as a credential source. Access policies are configured for each user against the device group, and the RDP access method has a user-specific account assigned for auto-logon. But most devices also have a common local account that should be available for auto-login. Users have custom roles with specific Credential Management user group assignments and are subject to product feature Dynamic Addition of Devices and Target Accounts to the Access Page Based on Target Group Membership. Thus PAM is expected to add the common account for autologon, and it does so for most devices, but not for all. There is no obvious difference in how the working and non-working devices and accounts are configured.

Environment

Affects releases up to 4.1.7, and also 4.2 GA, once released.

Cause

The problem devices had name and address configured in PAM with different case. E.g. the name was entered as MYPAMSERVER and the address as mypamserver.example.com. Generally this should not matter because device names should be case insensitive. But there was one place where a case sensitive comparison between a name and an address was done while adding target accounts dynamically, and some accounts were dropped from the access page because of the mismatch.

Resolution

The problem is expected to be fixed in 4.1.8+ and 4.2.1+. As a workaround, change device name or address to have the same case as the other.