A2A Client Fingerprint has changed
search cancel

A2A Client Fingerprint has changed


Article ID: 4826


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


The A2A client will not authenticate because the fingerprint has changed.


Component: CAPAMX


The client fingerprint is a value based on the client machine's hardware, hashed with a key.
The client token is assigned to the client when it first registers. This is just the ID in the database.

There are two places the client is identified:
1. At login time, the server checks that the client has the expected fingerprint key.
2. At command invocation time, the fingerprint is checked first, and then the token, and if both those fail we look up the hostname with a DNS lookup of the IP address in the client request.

There are often valid reasons why the fingerprint of an A2A client's request server machine will change, new hardware, new MAC address.


One solution is uninstall and re-install the client and let it re-register with the server. 

The following steps accomplish the same:

1. stop the client service/daemon
2. delete the client service/daemon's cache file (%CSPM_CLIENT_HOME%\cspmclient\config\.cspmclient.dat)
3. deactivate the client (in the CA PAM or Password Authority GUI)
4. Re-start the client service/daemon
5. Reactivate the client