Domain admins report failed logon attempts from PAM at times where there is no user activity that would have touched the target account in question. Where would a PAM administrator find the activity that caused the failed logon?

PAM interacts with the credential source while verifying or updating a target account password, either initiated by a PAM administrator or by a scheduled job. Usage of target account credentials to access a target device via auto-logon would not involve access to the credential source, unless the target device is the credential source.

Target account usage for auto-logon is covered in PAM session logs.

Attempts to update a target account password can be found in the Account Passwords Update Attempts report available on the Credentials > Reports > Run page, and also found on the integrated syslog or Splunk server as Metric events of type "updateTargetAccountPassword". In this workflow the credentials of the account of interest may be used in different ways:

1. The account attempts to authenticate using the new password.
2. The account attempts to authenticate using the old password.
3. The account authenticates in a workflow where it doesn't have its own password changed, but is used to change the password of another account

Password verification attempts, either performed manually by a PAM administrator or automatically by a scheduled job, are not found in any built-in report. They generate Metric events of type "verifyAccountPassword" that are sent to the integrated syslog or Splunk server. Here is a sample syslog event in XML format for a successful password verification:

Apr  2 21:09:41 pamserveraddress pam DETAIL <Metric><type>verifyAccountPassword</type><level>1</level><description><hashmap><k>TargetAccount.ID</k><v>2230001</v><k>TargetApplication.name</k><v>targetappname</v><k>TargetServer.hostName</k><v>example.com</v><k>TargetApplication.ID</k><v>11001</v><k>TargetServer.ID</k><v>54001</v><k>TargetAccount.userName</k><v>exampleuser</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric>