Symantec Privileged Access Management

  • Private Community

  • 1.  Active directory account is locked using CA PAM

    Posted Dec 18, 2018 12:36 AM

    Hi Team,

     

    Iam using active directory account as a target account to login to windows server.Iam able to auto login to server using this account.And iam able to verify the password also from CA PAM.but when iam trying to change the password from PAM it is getting locked in Active Directory. I tried with multiple accounts but same issue iam facing.

     

    Please suggest on this issue.



  • 2.  Re: Active directory account is locked using CA PAM

    Broadcom Employee
    Posted Dec 18, 2018 09:53 AM

    When PAM rotates a credential it follows a sequence of Verify > Update > Verify. 

     

    The first verification is performed using the new password to see if it actually needs to update the target (you may have already done it manually).

     

    Of course this first verify step usually appears as a failed login attempt, and depending upon your domain policies, this could result in a lockout event.

     

    Make sure your domain doesn't lock after a single incorrect password.  The default is 3 attempts before locking and this is usually adequate, 2 attempts should work, but locking after a single attempt will prevent PAM from changing passwords.

     

    NOTE: if you follow best practice and create a "master" account in the domain that is used to update the password for all of the other domain accounts you can get around this issue.  If you tell PAM to use the master account to verify the password, the lockout won't occur at all.  However even with the account verifying it's own password, the password update will unlock the account anyway so it will only be locked for a fraction of a second.

     

    I hope that helps.



  • 3.  Re: Active directory account is locked using CA PAM
    Best Answer

    Broadcom Employee
    Posted Dec 18, 2018 11:45 PM

    Note that the latest PAM releases include code to catch a change in the user DN, see e.g. the following text at https://docops.ca.com/ca-privileged-access-manager/3-2-3/EN/implementing/protect-privileged-account-credentials/set-up-password-composition-and-view-policies/establish-password-view-policies/track-account-movement-across-active-directory-ous :

     

    "Credential Manager first tries to bind to Active Directory using the Distinguished Name (DN). If that binding fails, it tries to bind using the User Principal Name (UPN)."

     

    This means that the verify attempt prior to the update attempt will cause two failed login attempts prior to the password update. If you use another account to update this account's password, PAM will try to unlock the account if locked. Is that what you are doing, or are the accounts configured to update their own password?