Scribd
Upload
348 views

20-PAM-ADMIN Troubleshooting Common Issues

Uploaded by

yaohang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
348 views

20-PAM-ADMIN Troubleshooting Common Issues

Uploaded by

yaohang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Troubleshooting Common Issues

By the end of this session, you will be able


to perform basic troubleshooting tasks to
resolve common issues related to:

• User authentication

Agenda • Component connectivity to the Vault

• Automatic password management by CPM

• Launching privileged sessions via PSM


2

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


User Authentication Issues

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


User Receives an Authentication Failure
Bill is unable to log in.
He changed his network password
recently and tried to log in to the
PVWA with his old password.
Now he is trying with his new
password and it does not work.
He contacts his Vault administrator.
The Vault administrator can see in
the ITAlog on the Vault that the user
Bill failed to log in 5 times and then
was suspended.

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
6

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
The Vault can be configured to unsuspend users automatically after a predefined time period,
using the UserLockoutPeriodInMinutes parameter in dbparm.ini.

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Component Connectivity
Issues

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


In the PVWA System Health,
we can see that the CPM user
is disconnected

With Component Monitoring


enabled, if the CPM fails to
connect to the Vault, the Vault
Admin will receive an email
notification

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
• Occasionally, the passwords for a
component user can get out of sync: the
password stored in the Vault no longer
matches the password stored in the
credential file.
• There is a tool available in the CyberArk
Support Vault that can be used to
unsuspend component users
(Solution 3643).
• These next few slides will show you how to
do it manually for the default CPM
component user PasswordManager.
10

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
1

11

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
2

Set the PasswordManager user’s


password to a known value.

12

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
3

In Trusted Net Areas, click


Activate to unsuspend the user

13

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
4
In the Vault folder under Password Manager, run the command: CreateCredFile.exe user.ini

14

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
5

15

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
• In the event the PTA connectivity is not
working, we may need to resynch the
credentials for the PTA Vault users, as well
as the credentials stored in the
PTA_PAS_Gateway account (used for
REST calls between PVWA and PTA).
• This can be done easily by running the
VaultPermissionsValidation.sh script
located in the utility folder on the PTA
server.
• You can navigate to the utility folder by
entering the following alias:
UTILITYDIR
16

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Common Issues
Related to CPM

17

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


Local Computer Policy
• The Platform and Master
Policy settings must not
conflict with the password
policy on the target device

18

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Understanding the problem:
• Verify / Change / Reconcile
• API and “net use” command
• Alternative plugins: WMI
plugin / PowerShell plugin
Suggested Troubleshooting:

• Check Windows Event Syntax:


Viewer net use \\<target IP address>\IPC$ /user:<domain>\<username>
• Check for unusual Local
Security Settings
• Run “net use” manually from 19

the CPM server to verify the


connection
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Understanding the problem:
• Which operations are
affected: Verify / Change /
Reconcile / All

Suggested Troubleshooting:

• Running plink manually


• Disable DEP / add exceptions Syntax:
for DEP on the CPM server C:\Program Files (x86)\CyberArk\Password
Manager\bin\plink.exe <target IP address> -ssh -P <port>
• Prompts and Process files –
add a basic prompt
20

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Common Issues
Related to PSM

21

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


Understanding the problem

► At what stage does the problem occur? PVWA / PSM / Target

► One account? Multiple accounts? Same type?

► Is the PSM hardened?

► Is the PSM in a domain?

► Which connection type is being used? RDP file / RemoteApp

► If there are multiple PSM servers, are they distributed or load balanced?

22

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


Suggested Troubleshooting:

► Check the PSM service – is it off/hanging?

► Logs and events on PSM server (System and Application)

► Disable NLA on PSM and target

► Initiate a manual connection with PSMConnect and run MSTSC to the target

► Check safe permissions (compare with other safes)

► Disable recording and auditing

► Check PSM Protocol version

► Increase Time-out values


23

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


Network Level Authentication (NLA)
requires the connecting user to authenticate
themselves before a session is established
with the server.
You can disable NLA in order to determine if
that is causing the problem.
• On the PSM Machine or Target Machine:
Go to Control Panel → System and
Security → System → Remote Settings

24

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
To manually test the PSMConnect user
1. Go to the local Computer Management
(or Active Directory) and disable the
Start Program in the Environment tab.
2. Get the PSMConnect account password
(using the PVWA or PrivateArk Client).
3. Connect to the PSM with PSMConnect
and run MSTSC to the target.

25

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
• Timeout parameters
determine how long the PSM
will wait for certain
components to work before
considering them as ‘failed’
and ending the session.
• Overloaded environments
may suffer from longer times
for certain components to
begin working, so it is
recommended to double (e.g.) ConnectionComponentTimeout: 20000
their timeout values.

26

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
Understanding the problem:
• PSM users (PSMConnect / Shadow users)
• Is it supported?
• Is Mapping drives enabled?

Suggested Troubleshooting:

• Same recommendations as for PSM-RDP


• Run component manually using shadow
user
• Delete Shadow users (from PSM computer
management)
• Adjust AppLocker (or remove it manually in 27

Windows for isolation)


Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Shadow users are created by
the PSM upon first connection.
Shadow users are used to run
connection components and
store user preferences.
You can isolate problems
related to shadow users by:
• Running the component
manually as the shadow user
(after password reset)
• Deleting the user (this will
allow the PSM to create the
user again) 28

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


cyberark.com
The PSM uses the Windows
AppLocker feature which defines
a set of rules that allow or deny
applications from running on the
PSM machine.
When adding a new component,
you must also adjust AppLocker
by:
• Adding an exception to
PSMConfigureApplocker.xml
– Uncomment the line relating to
the new component
• Running the
PSMConfigureApplocker.ps1 29

script
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
You can also disable AppLocker entirely
(for isolating the problem only) using the
MMC snap-ins:
1. On the Start screen, type secpol.msc or
gpedit.msc

2. Go to Computer Configuration → Windows


Settings → Security Settings → Application
Control Policies → AppLocker

3. Click on Configure rule enforcement and set


Executable Rules to Audit Only

30

4. Turn Enforce rules back on after testing


Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
Summary

31

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com


Summary
In this session we covered basic
troubleshooting steps to resolve common
issues related to:

User authentication

Component connectivity to the Vault

Automatic password management


by CPM

Launching privileged sessions via


PSM

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

You might also like