Active Directory Windows devices are imported with SSH Access Method.
search cancel

Active Directory Windows devices are imported with SSH Access Method.

book

Article ID: 8838

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

The following symptoms are observed when trying to import Active Directory (AD) Devices using the PAM LDAP Browser:
  • AD Device import is successful (no reported errors)
  • Windows devices are imported with SSH Access Method (not RDP)
  • Due to the incorrect Access Method the devices may not show up on the Access Page for users who should see them.
  • The Operating System field of any effected devices may say "Other"
  • Depending on the exact setup, it is possible that some Windows servers (usually from one domain) imported with the correct Access Method but other devices did not.

Environment

CA PAM - Any Version
Active Directory

Cause

This is usually caused by using the Global Catalog port when configuring AD into PAM. There are some differences in the information provided by the Global Catalog and standard AD ports. PAM uses the Operating System information provided by AD queries to attempt to automatically determine the proper OS & Access Methods to fill in. When a standard AD port (389 or 636) is queried it provides a full set of attributes, including the Operating System information. The Global Catalog (port 3268 or 3269) on the other hand does not provide a full set of attributes, which does NOT include the Operating System information. The main reason why the Global Catalog acts differently is because it is designed to handle multiple domains and using less attributes allows for less bandwidth and data usage when updating and querying the Global Catalog.

Resolution

We know of two options to resolve this problem:

  1. Switch the AD configuration from using Global Catalog port to the equivalent standard AD port (3268 = 389, 3269 = 636).
    NOTE: If the Global Catalog is being used for its Cross-Domain functionality then this change would break that and resolution 2 would be required.
  2. Re-configure the Global Catalog Schema to include the Operating System Attribute. 
    Notes:
        We suggest consulting with a Windows or AD administrator before attempting this change as it can be considered a major change.
        Instructions on modifying the Global Catalog Attributes can be found at the end of the Microsoft link in the Additional Information.
        Making changes to the Global Catalog Schema requires the user to be a "Schema Administrator". This is NOT included in the default Domain Administrator role and may need to be explicitly added. 

Additional Information

Additional information on this can be found at the following link from Microsoft:

Global Catalogs and the Partial Attribute Set

 

Powered by Wolken Software