PAM Administration

Common Issues

© 2023 CyberArk Software Ltd. All rights reserved

 By the end of this session, you will be able to
resolve common issues related to:

1. User authentication
Agenda 2. Component connectivity to the Vault

3. Automatic password management by CPM

4. Launching privileged sessions via PSM

© 2023 CyberArk Software Ltd. All rights reserved

 User Authentication Issues

© 2023 CyberArk Software Ltd. All rights reserved

User Receives an Authentication Failure

He changed his network password

recently and tried to log in to the PVWA
with his old password.
Now he is trying with his new password
and it does not work.
He contacts his Vault administrator.
 Identifying the Error in the ITAlog
The Vault administrator can see in the
ITAlog on the Vault that the user Bill
failed to log in 5 times and then was
suspended.

© 2023 CyberArk Software Ltd. All rights reserved

 Unsuspend the User

© 2023 CyberArk Software Ltd. All rights reserved

 Automatic Unsuspend
The Vault can be configured to unsuspend users automatically after a predefined time period,
using the UserLockoutPeriodInMinutes parameter in dbparm.ini.

© 2023 CyberArk Software Ltd. All rights reserved

 Component Connectivity Issues

© 2023 CyberArk Software Ltd. All rights reserved

 Identifying a Suspended Component

In the PVWA System Health, we

can see that the CPM user is
disconnected

With Component Monitoring

enabled, if the CPM fails to
connect to the Vault, the Vault
Admin will receive an email
notification

© 2023 CyberArk Software Ltd. All rights reserved

 Component Authentication
Error
Occasionally, the passwords for a component
user can get out of sync: the password stored in
the Vault no longer matches the password
stored in the credential file.
• There is a tool available in the CyberArk
Support Vault that can be used to unsuspend
component users
(Solution 3643).
• These next few slides will show you how to do
it manually for the default CPM component
user PasswordManager.

© 2023 CyberArk Software Ltd. All rights reserved

 1 Stop the CPM Services

© 2023 CyberArk Software Ltd. All rights reserved

 2 Reset the Password in the Vault

Set the PasswordManager user’s

password to a known value.

© 2023 CyberArk Software Ltd. All rights reserved

 3 Unsuspend the Component User

In Trusted Net Areas, click

Activate to unsuspend the user

© 2023 CyberArk Software Ltd. All rights reserved

 4 Generate a New Credential File
In the Vault folder under Password Manager, run the createcredfile command:

C:\Program Files (x86)\CyberArk\Password Manager\Vault>CreateCredFile.exe

User.ini Password /username PasswordManager /password Cyberark1 /IpAddress
/Hostname /EntropyFile
Command ended successfully
C:\Proagram Files (x86)\CyberArk\Password Manager\Vault

© 2023 CyberArk Software Ltd. All rights reserved

 5 Restart the CPM Services

© 2023 CyberArk Software Ltd. All rights reserved

 Resynch PTA
Credentials
• In the event the PTA connectivity is not
working, we may need to resynch the
credentials for the PTA Vault users, as
well as the credentials stored in the
PTA_PAS_Gateway account (used for
REST calls between PVWA and PTA).
• This can be done easily by running the
VaultPermissionsValidation.sh script
located in the utility folder on the PTA
server.
• You can navigate to the utility folder by
entering the following alias:
UTILITYDIR

© 2023 CyberArk Software Ltd. All rights reserved

 Common Issues Related to CPM

© 2023 CyberArk Software Ltd. All rights reserved

 What Can Interfere With the CPM?
Local Computer Policy
• The Platform and Master Policy settings must not conflict with the password policy on
the target device

© 2023 CyberArk Software Ltd. All rights reserved

 Target Windows
Accounts
Understanding the problem

• Verify / Change / Reconcile

• API and “net use” command
• Alternative plugins: WMI plugin /
PowerShell plugin

Suggested Troubleshooting:

• Check Windows Event Viewer Syntax:

• Check for unusual Local Security net use \\<target IP address>\IPC$ /user:<domain>\<username>
Settings
• Run “net use” manually from the
CPM server to verify the
connection

© 2023 CyberArk Software Ltd. All rights reserved

 Target Unix
Accounts
Understanding the problem

• Which operations are affected:

Verify / Change / Reconcile / All

Suggested Troubleshooting:

• Running plink manually

• Disable DEP / add exceptions for Syntax:
DEP on the CPM server C:\Program Files (x86)\CyberArk\Password
• Prompts and Process files – add a Manager\bin\plink.exe <target IP address> -ssh -P <port>
basic prompt

© 2023 CyberArk Software Ltd. All rights reserved

 Common Issues Related to PSM

© 2023 CyberArk Software Ltd. All rights reserved

 PSM-RDP Connection
Troubleshooting
Understanding the problem

• At what stage does the problem occur?

PVWA / PSM / Target
• One account? Multiple accounts? Same type?
• Is the PSM hardened?
• Is the PSM in a domain?
• Which connection type is being used?
RDP file / RemoteApp
• If there are multiple PSM servers, are they
distributed or load balanced?

© 2023 CyberArk Software Ltd. All rights reserved

 PSM-RDP Connection
Troubleshooting
Suggested Troubleshooting:

• Check the PSM service – is it off/hanging?

• Logs and events on PSM server
(System and Application)
• Disable NLA on PSM and target
• Initiate a manual connection with PSMConnect
and run MSTSC to the target
• Check safe permissions (compare with other
safes)
• Disable recording and auditing
• Check PSM Protocol version
• Increase Time-out values
© 2023 CyberArk Software Ltd. All rights reserved
 Disable NLA
Network Level Authentication (NLA)
requires the connecting user to authenticate
themselves before a session is established
with the server.

You can disable NLA in order to determine if

that is causing the problem.
• On the PSM Machine or Target Machine:
Go to Control Panel → System and
Security → System → Remote Settings

© 2023 CyberArk Software Ltd. All rights reserved

 Connect Manually
with PSMConnect
To manually test the PSMConnect user
1. Go to the local Computer Management
(or Active Directory) and disable the Start
Program in the Environment tab.
2. Get the PSMConnect account password
(using the PVWA or PrivateArk Client).
3. Connect to the PSM with PSMConnect
and run MSTSC to the target.

© 2023 CyberArk Software Ltd. All rights reserved

 Increase Timeouts
• Timeout parameters determine how long the PSM will wait for certain components to work before
considering them as ‘failed’ and ending the session.
• Overloaded environments may suffer from longer times for certain components to begin working,
so it is recommended to double their timeout values.

(e.g.) ConnectionComponentTimeout: 20000

© 2023 CyberArk Software Ltd. All rights reserved
 PSM-[Component]
Understanding the problem

• PSM users (PSMConnect / Shadow users)

• Is it supported?
• Is Mapping drives enabled?

Suggested Troubleshooting:

• Same recommendations as for PSM-RDP

• Run component manually using shadow user
• Delete Shadow users (from PSM computer
management)
• Adjust AppLocker (or remove it manually in
Windows for isolation)

© 2023 CyberArk Software Ltd. All rights reserved

 PSM
Shadow Users
Shadow users are created by the
PSM upon first connection.
Shadow users are used to run
connection components and store
user preferences.
You can isolate problems related
to shadow users by:
• Running the component
manually as the shadow user
(after password reset)
• Deleting the user (this will allow
the PSM to create the user
again)

© 2023 CyberArk Software Ltd. All rights reserved

 Adjust AppLocker
The PSM uses the Windows AppLocker feature which defines a set of rules that allow or deny
applications from running on the PSM machine.

When adding a new component,

you must also adjust AppLocker
by adding an exception to
PSMConfigureApplocker.xml
‒ Uncomment the line relating to
the new component

Running the
PSMConfigureApplocker.ps1
script

© 2023 CyberArk Software Ltd. All rights reserved

 Disable AppLocker
You can also disable AppLocker entirely
(for isolating the problem only) using the
MMC snap-ins:
1. On the Start screen,type secpol.msc or
gpedit.msc
2. Go to Computer Configuration →
Windows Settings → Security Settings
→ Application Control Policies →
AppLocker
3. Click on Configure rule enforcement
and set Executable Rules to Audit Only
4. Turn Enforce rules back on after
testing

© 2023 CyberArk Software Ltd. All rights reserved

 Summary

© 2023 CyberArk Software Ltd. All rights reserved

 Summary
In this lesson we learned about finding
solutions to the following common
issues:

• User authentication

• Component connectivity to the Vault

• Automatic password management by

CPM

• Launching privileged sessions

via PSM

© 2023 CyberArk Software Ltd. All rights reserved