Error 551 rotating password via Windows Remote Connector in CA PAM
search cancel

Error 551 rotating password via Windows Remote Connector in CA PAM

book

Article ID: 373620

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to carry out a password rotation on a Windows machine by means of the Windows Remote connector, this always fails

Looking at the target Windows system SMBServer Security event error log, the following error appears every time there is an attempt at changing the password

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-SMBServer" Guid="{d48ce617-33a2-4bc3-a5c7-11aa4f29619e}" />
    <EventID>551</EventID>
    <Version>2</Version>
    <Level>2</Level>
    <Task>551</Task>
    <Opcode>0</Opcode>
    <Keywords>0x810000000000008</Keywords>
    <TimeCreated SystemTime="2024-06-26T13:21:56.092311700Z" />
    <EventRecordID>14</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="1632" />
    <Channel>Microsoft-Windows-SMBServer/Security</Channel>
    <Computer>W-TEST-WEB-03</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <EventData xmlns="Smb2Namespace">
      <SessionGUID>{61c9d872-c7a6-0001-a629-ca61a6c7da01}</SessionGUID>
      <ConnectionGUID>{61c9d872-c7a6-0001-a529-ca61a6c7da01}</ConnectionGUID>
      <Status>0xc000006d</Status>
      <TranslatedStatus>0xc000006d</TranslatedStatus>
      <ClientAddressLength>16</ClientAddressLength>
      <ClientAddress>0200A6E20A016B830000000000000000</ClientAddress>
      <SessionId>0x100000000079</SessionId>
      <UserNameLength>0</UserNameLength>
      <UserName>
      </UserName>
      <ClientNameLength>14</ClientNameLength>
      <ClientName>\\<Client_IP></ClientName>
      <SPN>session setup failed before the SPN could be queried</SPN>
      <SPNValidationPolicy>0</SPNValidationPolicy>
    </EventData>
  </UserData>

In catalina Tomcat the following appears

2024-07-08T12:58:24.064+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager.updateWindowsCredentials Updating credential for account <account_name on server <Server IP> by OWN account with net rpc didn't succeed
Reason: [machine <Server IP> rejected the password change: Error was : Password restriction.
]. Use rwin to do this operation again.

Issue persists despite account being able to change its own passwords and administrative shares such as ADMIN$ or IPC$ being available

Environment

CA PAM all supported versions

Resolution

Checking the Checkbox "Force password change" in the Target Account configuration under the Windows Remote tab allows the password change procedure to complete fine

Powered by Wolken Software