When running a manual LDAP refresh on some appliances in the PAM cluster, the user is logged off and the following error is seen in the session logs. In some cases, it has been observed 

PAM-CMN-1176: A potential tampering attempt has been detected, the end-user's local system may be compromised. Session will be terminated.

Privileged Access Manager 4.1.x with 4.1.5.50, 4.1.6.50, or 4.1.7.50 applied
Privileged Access Manager 4.2.0

When the LDAP refresh is ran on an appliance other than the primary leader, a call is made to the primary leader to run the task. In this case, there was an issue with the call's syntax which triggered the tampering alert on the primary leader due to the increased security added by the vulnerability hotfix.

The issue has been fixed as DE612189 in the 4.1.8 release and the 4.2.0.06 hotfix. As a workaround, please run manual LDAP refreshes from the cluster leader.

For a full list of defects fixed in 4.1.8, refer to the Resolved Issues in 4.1.8 documentation section.

To download 4.2.0.06, download it from PAM Solutions & Patches on the support portal.