PAM needs to manage user accounts on Palo Alto firewall devices. The users are able to establish an SSH connection, but they need to have their password updated by a master account. Therefore they have to be configured with account type "User" and "Connect As" option "The following account" checked. This allows for successful password updates. But any attempt to verify the password fails immediately with message

PAM-CM-0759: Failed to verify password with target. {0}

The tomcat log shows the following message at log level Warning: "Cannot use another account's credentials to verify this account's credentials; the operation is not supported."

The Palo Alto target connector does not accommodate a configuration that allows an account to be updated by another account while verifying its own password with a login. This is a design limitation.

It should be possible to get this use case working with the use of a UNIX target connector instead of a Palo Alto target connector. The UNIX target application would need to be configured with a custom password update script that implements the logic in the default script used with Palo Alto target applications. If you want to pursue this option, but need assistance with an initial script version, contact PAM Support.

As documented on page Add a UNIX Target Connector, once you have a custom script in place you are responsible for maintaining it.