PAM-CM-4049 trying to rotate a local account using Windows Remote
search cancel

PAM-CM-4049 trying to rotate a local account using Windows Remote

book

Article ID: 410852

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Windows Remote has been configured to rotate  local windows accounts in a given server, Server A, joined to a Windows Domain, Domain A, by means of a local account- Admin_User- defined in Server A which is part of the Local Administrator group in Server A.

However, this does not work and there are the following error messages in the tomcat log

2025-09-08T11:58:28.879+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables SMB command line: /usr/bin/python3, /opt/cloakware/cspmserver/rwin/wmiexec.py, <DomainA>/<Admin_User>:********@<Domain_A_IP_Address>, "echo ###%TEMP%###"

...

2025-09-08T11:58:29.916+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables Attempt to get Windows TEMP folder for user <Domain A>/<Admin_User> on host <Domain_A_IP_Address> failed with exit code 1

...
2025-09-08T11:58:29.917+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.begin PAM-CM-4049: Windows Remote process returns 1, with Administrator account <Domain A>/<Admin_User> on target server <Domain_A_IP_Address>.
    com.cloakware.cspm.server.app.ApplicationException: PAM-CM-4049: Windows Remote process returns 1, with Administrator account <Domain A>/<Admin_User> on target server <Domain_A_IP_Address>.

 

Cause

Looking at the log, one can observe that even though we are trying to rotate local Accounts, PAM is sending a Domain account, <Domain A>/<Admin_User> instead of only the local admin account Admin_User

Of course <Domain A>/<Admin_User> cannot connect to any share in Server A, because Admin_User is a local user, not a domain user.

The fact that PAM is sending it as a Domain user, despite being specified as a local Target Account is caused by the Definition of its Target Application: Windows Remote connector allows you to define whether it will be applied to Local Accounts or Domain Accounts

 

If you choose Domain Account, even if the account specified in the Target Account definition is local, it will prepend the Domain name to it and try operation with a Domain Account

Resolution

Use a Windows Remote Application specifying Account Type as Local

Powered by Wolken Software