19-PAM-ADMIN-Common-Issues.pdf
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Full Transcript
PAM Administration Common Issues © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to resolve common issues related to:...
PAM Administration Common Issues © 2023 CyberArk Software Ltd. All rights reserved By the end of this session, you will be able to resolve common issues related to: 1. User authentication Agenda 2. Component connectivity to the Vault 3. Automatic password management by CPM 4. Launching privileged sessions via PSM © 2023 CyberArk Software Ltd. All rights reserved User Authentication Issues © 2023 CyberArk Software Ltd. All rights reserved User Receives an Authentication Failure He changed his network password recently and tried to log in to the PVWA with his old password. Now he is trying with his new password and it does not work. He contacts his Vault administrator. Identifying the Error in the ITAlog The Vault administrator can see in the ITAlog on the Vault that the user Bill failed to log in 5 times and then was suspended. © 2023 CyberArk Software Ltd. All rights reserved Unsuspend the User © 2023 CyberArk Software Ltd. All rights reserved Automatic Unsuspend The Vault can be configured to unsuspend users automatically after a predefined time period, using the UserLockoutPeriodInMinutes parameter in dbparm.ini. © 2023 CyberArk Software Ltd. All rights reserved Component Connectivity Issues © 2023 CyberArk Software Ltd. All rights reserved Identifying a Suspended Component In the PVWA System Health, we can see that the CPM user is disconnected With Component Monitoring enabled, if the CPM fails to connect to the Vault, the Vault Admin will receive an email notification © 2023 CyberArk Software Ltd. All rights reserved Component Authentication Error Occasionally, the passwords for a component user can get out of sync: the password stored in the Vault no longer matches the password stored in the credential file. There is a tool available in the CyberArk Support Vault that can be used to unsuspend component users (Solution 3643). These next few slides will show you how to do it manually for the default CPM component user PasswordManager. © 2023 CyberArk Software Ltd. All rights reserved 1 Stop the CPM Services © 2023 CyberArk Software Ltd. All rights reserved 2 Reset the Password in the Vault Set the PasswordManager user’s password to a known value. © 2023 CyberArk Software Ltd. All rights reserved 3 Unsuspend the Component User In Trusted Net Areas, click Activate to unsuspend the user © 2023 CyberArk Software Ltd. All rights reserved 4 Generate a New Credential File In the Vault folder under Password Manager, run the createcredfile command: C:\Program Files (x86)\CyberArk\Password Manager\Vault>CreateCredFile.exe User.ini Password /username PasswordManager /password Cyberark1 /IpAddress /Hostname /EntropyFile Command ended successfully C:\Proagram Files (x86)\CyberArk\Password Manager\Vault © 2023 CyberArk Software Ltd. All rights reserved 5 Restart the CPM Services © 2023 CyberArk Software Ltd. All rights reserved Resynch PTA Credentials In the event the PTA connectivity is not working, we may need to resynch the credentials for the PTA Vault users, as well as the credentials stored in the PTA_PAS_Gateway account (used for REST calls between PVWA and PTA). This can be done easily by running the VaultPermissionsValidation.sh script located in the utility folder on the PTA server. You can navigate to the utility folder by entering the following alias: UTILITYDIR © 2023 CyberArk Software Ltd. All rights reserved Common Issues Related to CPM © 2023 CyberArk Software Ltd. All rights reserved What Can Interfere With the CPM? Local Computer Policy The Platform and Master Policy settings must not conflict with the password policy on the target device © 2023 CyberArk Software Ltd. All rights reserved Target Windows Accounts Understanding the problem Verify / Change / Reconcile API and “net use” command Alternative plugins: WMI plugin / PowerShell plugin Suggested Troubleshooting: Check Windows Event Viewer Syntax: Check for unusual Local Security net use \\\IPC$ /user:\ Settings Run “net use” manually from the CPM server to verify the connection © 2023 CyberArk Software Ltd. All rights reserved Target Unix Accounts Understanding the problem Which operations are affected: Verify / Change / Reconcile / All Suggested Troubleshooting: Running plink manually Disable DEP / add exceptions for Syntax: DEP on the CPM server C:\Program Files (x86)\CyberArk\Password Prompts and Process files – add a Manager\bin\plink.exe -ssh -P basic prompt © 2023 CyberArk Software Ltd. All rights reserved Common Issues Related to PSM © 2023 CyberArk Software Ltd. All rights reserved PSM-RDP Connection Troubleshooting Understanding the problem At what stage does the problem occur? PVWA / PSM / Target One account? Multiple accounts? Same type? Is the PSM hardened? Is the PSM in a domain? Which connection type is being used? RDP file / RemoteApp If there are multiple PSM servers, are they distributed or load balanced? © 2023 CyberArk Software Ltd. All rights reserved PSM-RDP Connection Troubleshooting Suggested Troubleshooting: Check the PSM service – is it off/hanging? Logs and events on PSM server (System and Application) Disable NLA on PSM and target Initiate a manual connection with PSMConnect and run MSTSC to the target Check safe permissions (compare with other safes) Disable recording and auditing Check PSM Protocol version Increase Time-out values © 2023 CyberArk Software Ltd. All rights reserved Disable NLA Network Level Authentication (NLA) requires the connecting user to authenticate themselves before a session is established with the server. You can disable NLA in order to determine if that is causing the problem. On the PSM Machine or Target Machine: Go to Control Panel → System and Security → System → Remote Settings © 2023 CyberArk Software Ltd. All rights reserved Connect Manually with PSMConnect To manually test the PSMConnect user 1. Go to the local Computer Management (or Active Directory) and disable the Start Program in the Environment tab. 2. Get the PSMConnect account password (using the PVWA or PrivateArk Client). 3. Connect to the PSM with PSMConnect and run MSTSC to the target. © 2023 CyberArk Software Ltd. All rights reserved Increase Timeouts Timeout parameters determine how long the PSM will wait for certain components to work before considering them as ‘failed’ and ending the session. Overloaded environments may suffer from longer times for certain components to begin working, so it is recommended to double their timeout values. (e.g.) ConnectionComponentTimeout: 20000 © 2023 CyberArk Software Ltd. All rights reserved PSM-[Component] Understanding the problem PSM users (PSMConnect / Shadow users) Is it supported? Is Mapping drives enabled? Suggested Troubleshooting: Same recommendations as for PSM-RDP Run component manually using shadow user Delete Shadow users (from PSM computer management) Adjust AppLocker (or remove it manually in Windows for isolation) © 2023 CyberArk Software Ltd. All rights reserved PSM Shadow Users Shadow users are created by the PSM upon first connection. Shadow users are used to run connection components and store user preferences. You can isolate problems related to shadow users by: Running the component manually as the shadow user (after password reset) Deleting the user (this will allow the PSM to create the user again) © 2023 CyberArk Software Ltd. All rights reserved Adjust AppLocker The PSM uses the Windows AppLocker feature which defines a set of rules that allow or deny applications from running on the PSM machine. When adding a new component, you must also adjust AppLocker by adding an exception to PSMConfigureApplocker.xml ‒ Uncomment the line relating to the new component Running the PSMConfigureApplocker.ps1 script © 2023 CyberArk Software Ltd. All rights reserved Disable AppLocker You can also disable AppLocker entirely (for isolating the problem only) using the MMC snap-ins: 1. On the Start screen,type secpol.msc or gpedit.msc 2. Go to Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker 3. Click on Configure rule enforcement and set Executable Rules to Audit Only 4. Turn Enforce rules back on after testing © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this lesson we learned about finding solutions to the following common issues: User authentication Component connectivity to the Vault Automatic password management by CPM Launching privileged sessions via PSM © 2023 CyberArk Software Ltd. All rights reserved