When running a manual LDAP refresh on some appliances in the PAM cluster, the user is logged off and the following error is seen in the session logs. In some cases, it has been observed 

PAM-CMN-1176: A potential tampering attempt has been detected, the end-user's local system may be compromised. Session will be terminated.

Privileged Access Manager 4.2.0 only

When the LDAP refresh is ran on an appliance other than the primary leader, a call is made to the primary leader to run the task. In this case, there was an issue with the call's syntax which triggered the tampering alert on the primary leader due to the increased security added by the vulnerability hotfix.

The issue has been fixed as DE612189 in the 4.2.1 release, upgrade to resolve the issue. As a workaround, please run manual LDAP refreshes from the cluster leader.

If an upgrade is not possible at this time, apply the 4.2.0.06 hotfix. It can be downloaded from the PAM Solutions & Patches on the support portal.