Symantec Privileged Access Management

Hi all,

I have some troubles with integrating CA PAM with CA PAM SC. I configured PAM as is described in docops. Ping to AMQ Console seems good.

However when I set Login Integration in CA PAM Server Control tab in Policy, I will get 2 possible errors:

1) when is auto-login with target account selected, the error message is: "PAM-SPFD-0025: Error in pre-login call to 'pamsc-winsrv.amipam.local' endpoint. Message: 'Call failed with HTTP response code 504'"

2) when is auto-login not setted, the error is: "PAM-SPFD-0025: Error in pre-login call to 'pamsc-winsrv.amipam.local' endpoint. Message: 'Call failed with HTTP response code 400'"

For users both errors look like this:

Without setting Login Integration in CA PAM Server Control tab in Policy, everything is fine and I can connect to target server with target account, and I will see it in CA PAM SC Audit:

Have anybody some idea what I have misconfigured?

Thanks for any reply,

Lukas

Hello Lukas,

Please make sure you have on your Windows Endpoint (where you have PAM SC Agent installed):

[HKLM\SOFTWARE\ComputerAssociates\AccessControl\PUPMAgent]

   EnableLogonIntegration = 1

   OperationMode = 1

[HKLM\SOFTWARE\ComputerAssociates\AccessControl\Common\AgentManager\Plugins\AccountManager]

   OperationMode = 1

 [HKLM\SOFTWARE\ComputerAssociates\AccessControl\Common\AgentManager\Plugins\PupmAgent]

   OperationMode = 1

 [HKLM\SOFTWARE\ComputerAssociates\AccessControl\Common\communication]

   Distribution_Server = ssl://<ACTIVEMQSERVER>:61616

User Settings:

exu AMIPAM\testuser1 pupm_flags(use_original_identity,required_checkout)

(This can be setup as a Policy and pushed automatically to be created. The XUSER will be created upon first successful login but will not contain the required flags).

Target Application - Pertains to using a DOMAIN account

   Domain Name - MATCHES how the XUser created above for Domain. i.e. if domain is AMIPAM put AMIPAM in the target application, NOT AMIPAM.company.com!!! Otherwise to PAM SC, this is a different user!

Moreover you need to configure in the PAM Policy to autologin as the user AMIPAM\testuser1 - but from what you show from seaudit I guess this is already the case in your case

Make sure you run the most recent version of PAM and PAM SC (i.e. as of now 3.2.4 and 14.1) since there were some issues identified in earlier versions.

See also these KBs

PAM 3.x: Does not work login integration with CA P - CA Knowledge 

For the PAMSC login integration, is it required fo - CA Knowledge 

PAM + PAMSC Login Integration Not Working - CA Knowledge 

Should the issue remain please open a formal Support Case with us and we shall have a closer look.

Hello Andreas,

Thank You for answer.

In our environment (installation Enterprise management with endpoint management together) was register PUPMAgent\OperationMode disabled by default. I enabled it manually via endpoint configuration (there wasn't option in installation wizard as is desribed in documentation ("When you install the endpoint using the Product Explorer, enable PUPM Integration in the Feature Selection dialog...")).

I edited HKLM\SOFTWARE\ComputerAssociates\AccessControl\Common\communication\Distribution_Server. These was set to "localhost" and that doesn't work. With IP address/hostname is it correct.

Yet it is working with auto-login!

And last thing: there is no way how to set manual login within this integration? When no target account is selected, we recieve always error "PAM-SPFD-0025: Error in pre-login call to 'pamsc-winsrv.amipam.local' endpoint. Message: 'Call failed with HTTP response code 400'".

Thanks,

Lukas