Duplicate Login Events in Splunk
search cancel

Duplicate Login Events in Splunk

book

Article ID: 408523

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When monitoring PAM authentication logs in Splunk, administrators may notice two events generated for each login attempt. Successful logins show an initial invalid login attempt before the valid login event.

 

 

Environment

PAM 4.x

Cause

This behavior is expected when accounts are being rotated or validated against Active Directory through PAM. The process works as follows:

  • An initial login attempt is made with a deliberately invalid password.

  • This "bad" attempt is intentional and helps ensure the password validation process is functioning as expected.

  • It confirms the system is correctly handling invalid credentials before proceeding.

  • Immediately after, a second login attempt is made with the correct password.

This is the valid login event.

 

As a result, Splunk logs will display two events per login:

  • One showing a failed login (commonly with LDAP Error Code 49)

Failed authentication to Active Directory using distinguished name 'CN=#####, OU=########,OU=######,DC=###,DC=####,DC=####' for account '########' due to error '[LDAP: error code 49 - #######: LdapErr: DSID-0C09059D, comment: AcceptSecurityContext error, data 52e, v4f7c

  • One showing a successful login

Updating credentials for account with username #########
Updating password of Active Directory account with username '#########'
Retrieve the DN from the Active Directory for user, #########,CN=########,OU=#########,OU=#######,DC=#####,DC=#####,DC=#####
Verifying credentials for account with username '#####'
Successfully saved the UPN  '#####' for targetAccount #####

This is a normal and expected behavior and does not indicate an authentication issue.

 

Resolution

No action is required. Working as designed.

 

The duplicate entries in Splunk are a byproduct of the PAM authentication process.

The failed login is expected and does not represent a security concern as long as it is immediately followed by a successful login.

This behavior is by design in PAM and ensures the password validation process functions correctly.

Administrators should not treat these events as security incidents when they occur in this specific pattern.

 

 

What to Expect:

 

Two Splunk messages per login attempt (invalid followed by valid).

LDAP Error Code 49 may appear before each successful login.

This pattern will repeat for all accounts undergoing password rotation

Powered by Wolken Software