PAM-CM-3432 or PAM-CM-3438 errors on Verify or Update of Active Directory target accounts using "Retrieve DNS list" option
Article ID: 420767
Updated On:
Products
Issue/Introduction
Password management stopped working for all accounts in an Active Directory domain. Attempts to update accounts run into the following errors:
PAM-CM-3432: Cannot connect to domain controller on the specified domain
or
PAM-CM-3438: Error updating password in Active Directory. Service credentials for this account (if any) were not updated.
The target application is configured with option "Retrieve DNS list", and there are over a dozen domain controllers available.
Environment
Affects PAM releases 4.2.0-4.2.3 and 4.3.0
Cause
The first domain controller PAM tries to connect to is/has become unavailable. In such cases the target connector should move on to the next domain controller retrieved from DNS, but that didn't happen due to a problem introduced with an enhancement in the PAM 4.1.5 release to add support of Kerberos authentication in the Active Directory target connector. The tomcat log will show a message similar to the following
2025-11-10T18:48:58.633+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.loginToActiveDirectorySimple Failed authentication to Active Directory using account 'ExampleADAccount' com.cloakware.cspm.server.app.ApplicationException: PAM-CM-0776: Unable to connect to client.... Caused by: java.net.SocketTimeoutException: connect timed outResolution
This problem will be fixed in 4.2.4+ and 4.3.1+. If you are affected by this problem and an upgrade is not an option yet, open a case with PAM Support.
Additional Information
Accounts associated with a target application using option "Use following DNS server:" instead of "Retrieve DNS list" can be affected by this problem as well.
Feedback
