Symantec Privileged Access Management

  • 1.  Can't change Scheduled Task password with proxy: PAM-CM-3466 error

    Posted Feb 22, 2018 10:37 PM

    I am using PAM 3.0.1. I have the current Windows Proxy running on Windows box 2 (Windows Server 2012 R2). The service is running under the local Administrator account. It is set up / able to mange local account passwords on Windows box 1 (Windows server 2008 R2).

    1.  I have a local Windows box 1 account being managed, and use that account to discover other local accounts on Windows 1. That works fine.
    2. I then take 1 of the discovered accounts under management. That works fine. This account (adm1) has both a scheduled task and a service running under it.
    3. I enable task and service discovery on the target application, re-run the discovery, and find both the service and task.
    4. I "Update" to add the service/task to the adm1 managed account in the Discovery menu. This step does not attempt to update any passwords.
    5. I then return to the adm1 managed target account, view the service/task, generate a new credential, and force a password change. Upon saving, I get a Warning/error  "PAM-CM-3466: Error updating task credentials."

     

    What is interesting, if i re-open the target account (adm1), supply a password to PAM to change the account to, then manually update the task on Windows box 1 to that password, then it will remain in sync with PAM (PAM will update the Task password along with the account password). Scratch that - it does not stay sync'd. Wondering if i am performing something out of sequence that is preventing the sync-up. The Service syncs up immediately - no problems there.  



  • 2.  Re: Can't change Scheduled Task password with proxy: PAM-CM-3466 error

    Posted Feb 23, 2018 02:46 PM

    I wrote a Tech Tip on this not long ago.  You should be able to download it from this page:  Tech Tip:  Configuring PAM to Manage Passwords for Scheduled Tasks on a Windows Server.



  • 3.  Re: Can't change Scheduled Task password with proxy: PAM-CM-3466 error

    Posted Feb 23, 2018 03:09 PM

    Yes thank you. I used that as a guide to get this far. In your document, section "Rotate the Password" is where I am getting the error. The task's password is not updated. 



  • 4.  Re: Can't change Scheduled Task password with proxy: PAM-CM-3466 error

    Posted Feb 23, 2018 04:13 PM

    Make sure that the account being used for the scheduled task has the necessary rights.



  • 5.  Re: Can't change Scheduled Task password with proxy: PAM-CM-3466 error

    Posted Mar 20, 2018 05:26 PM

    So it seems there was an issue with the Windows Proxy released with 3.0.1. A patch is in the works to resolve the 3466 error. However, what is interesting is that Scheduled Task management is a little more sensitive than Service management. It seems that to take a Scheduled Task under management, the password the Scheduled Task has stored must match what is in the CA PAM credential vault. This means you may have to update the Task's password first, then discover it and take it under CA PAM management.