chapter 19 Flashcards
PAM administration
User authentication issues
user receives an authentication failure
he changed his network password recently and tried to login to the PVWA with his old password.
now he is trying with his new password and it does not work.
he contacts his vault admin
identifying the error in the ITAlog
the vault admin can see in the ITAlog on the vault that the user failed to log in 5 times and then was suspended.
to unsuspend the user
open users and groups on server “prod”
select the user, select trusted net areas and select activate
the vault can be configured to ususpend user automatically after a predefined time period, using the UserLockoutPeriodInMinutes parameter in the (blank) ini file.
dbparm
component connectivity issues
identifying a suspended component
in the PVWA System Health, you can see the CPM user is disconnected
component authentication error
occasionally, the passwords for a component user can get out of sync, the password stored in the vault no longer matches the password stored in the credential file.
there is a tool available in the cyberark support vault that can be used to unsuspend component users. solution 3443
here is how to do it manually for the default CPM component user PasswordManager
Stop the CPM Services
Reset the password in the vault
unsuspend the component user
- in trusted net area, click activate to unsuspend the user
generate a new credential file
in the vault folder under password manager, run the CreateCredFile command
eg: createcredfile.exe user.ini password /username passwordmanager /password cyberark1 /ipaddress /hostname /entropyfile
restart the CPM services
[none]
resynch PTA credentials
in the event the PTA connectivity is not working, we may need to resynch the credentials for the PTA Vault users, as well as the credentials stored in the PTA_PAS_Gateway account (used for REST calls between the PVWA and PTA)
This can be done easily by running the VaultPermissionsValidation.sh script located in the utility folder on the PTA server.
You can navigate to the utility folder by entering the following alias: UTILITYDIR
[none]
what can interfere with the CPM?
Local Computer Policy
The platform and master policy settings must not conflict with the password policy on the target device
Target Windows Accounts
Understanding the problem
- verify/change/reconcile
- API and net use command
- alternative plugins: WMI plugin / powershell plugin
Suggested troubleshooting
- check windows event viewer
- check for unusual local security settings
- run net use manually from the CPM server to verify the connection
Target UNIX account
understand the problem
- which operations are affected, verify/change/reconcile/all
Suggested troubleshooting
- running plink manually
- disable DEP / add exceptions for DEP on the CPM server
- prompts and process files - add a basic prompt
[none]
Common issues related to PSM
PSM-RDP connection troubleshooting
understanding the problem
- at what stage does the problem occur? PVWA / PSM / target
- one account? multiple accounts? same type?
- is the PSM hardened?
- is the PSM in a domain?
Which connection type is being used? RDP file / remote app
- if there are multiple PSM servers, are they distributed or load balanced?
suggested troubleshooting
- check the PSM service - is it off/hanging?
- logs and events on PSM server (system and application)
- disable NLA on PSM and target
- initiate a manual connection with PSMConnect and run MSTSC to the target
- check safe permissions (compare with other safes)
- disable recording and auditing
- check PSM protocol version
- increase time-out values
[none]
Disable NLA
(blank) NLA requires the connecting user to authenticate themselves before a session is established with the server
you can disable NAL in order to determine if that is causing the problem.
on the PSM machine or target machine: go to control panel > system and security > system > remote settings
network level authentication
Increase Timeouts
Timeout parameters determine how long the (blank) will wait for certain components to work before considering them as failed and ending the session
Overloaded environments may suffer from longer times for certain component to begin working, so it is recommended to double their timeout vaults
PSM
PSM-[Component]
understanding the problem
-PSM users (PSMConnect/Shadow users)
-is it supported?
- is mapping drives enabled?
suggested troubleshooting
- same recommendations as for PSM-RDP
- run component manually using shadow user
-delete shadow users (from PSM computer management)
-adjust AppLocker (or remove it manually in windows for isolation)
[none]
PSM Shadow users
Shadow users are created by the PSM upon first connection. Shadow users are used to run connection component and store user preferences.
You can isolate problems related to shadow users by:
running the component manually as the shadow user (after password reset)
deleting the user (this will allow the PSM to create the user again)
[none]
adjust AppLocker
The PSM uses the windows AppLocker feature which defines a set of rules that allow or deny applications from running on the PSM machine.
When adding a new component, you must also adjust AppLocker by adding an exception to PSMConfigureApplocker.xml
- uncomment the line related to the new component
Running the PSMConfigureApplocker.ps1 script
[none]
Disable AppLocker
You can also disable AppLocker entirely (for isolating problem only) using the MMC snap ins
on the start screen, type secpol.msc or gpedit.msc
go to computer configuration > windows settings > security settings > application control policies > AppLocker
click on configure rule enforcement and set executables rules to audit only
turn enforce rules back on after testing
[none]
