Latest Posts

CyberArk PAS Solution Issues and Troubleshooting (PVWA, PSM, CPM)

This is my CyberArk learning post to record those issues I met during working on CyberArk PAS (Privileged Account Security) Solutions which including following modules: PVWA (Password Vault Web Access), PSM (Privileged Session Manager), CPM (Central Policy Manager)

List of my issues:
  • Issue: This app has been blocked
  • Issue: Network Level Authentication Disabled
  • Issue: RDS Installation - Collection Role failed to create
  • Issue: Remote Desktop Licensing mode is not configured
  • Issue: SSH through PSM failed
  • Issue: RDP Remote through PSM failed using local admin account
  • Issue: CyberArk System Health Dashboard
  • LDAP Log In without Entering Domain Name
  • Change Windows Local Admin Account Denied
  • Change Win Account Password Failed
  • PSM Session Failed Login - Username and Password is incorrect. 



Some of them can be easily fixed by changing group policy. Some of them are relating RDS license.

Issue: This app has been blocked 

1. Using PSM SSH to connect to Remote Site but got an error
"This app has been blocked by your system administrator."

Resolution:

Reference: https://cyberark-customers.force.com/s/article/00004458

Issue: Network Level Authentication Disabled

2. NLA Enabled on PSM servers


Resolution:
You can use domain group policy to fix this.

Issue: RDS Installation - Collection Role failed to create

When install RDS role on PSM server, you might meet RDS Collection Role Creation Failed error.

Resolution:
Group Policy related. Move PSM servers out of regular Domain OU to a new OU without any group policy on it except default domain group policy.


Issue: Remote Desktop Licensing mode is not configured

RDS License issue
Remote Desktop Licensing mode is not configured. Remote Desktop Services will stop working in 123 days. On the RD Connection Broker server, use Server Manager to specify the Remote Desktop Server.




Resolution:
You will need to add license before it is expired.

Issue: SSH through PSM failed

Symptoms:
Trying to a remote ssh through PSM, but got following failed message. RDP to same network's server was fine.



Cause and Solution:
It has been caused by global policy removed PSMShadowusers access locally.


Issue: RDP Remote through PSM failed using local admin account

Trying to log in remote server through PSM using local admin account, failed with following error.

Resolution:
It is network connectivity issue between PSM and Remote Destination. If you met this error, try to RDP directly from PSM server to see if you will meet this issue or not.

Issue: CyberArk System Health Dashboard 




It is relating to DR replication error. here is log found from active Vault server. Log can be found from this file: C:\Program Files (x86)\PrivateArk\Server\Logs\italog.log

Note: Server 192.23.1.25 is PVWA

Issue can be fixed based on CyberArk Article:
PVWA – How to create / update credential files for PVWA manually?

for problem psm server:
  • check username in psmapp.cred and psmgw.cred 
  • use command at problem psm server to change password
  • update users' password in the vault

same process for pvwa server users.
  • check appuser.ini and gwuser.ini under folder : C:\CyberArk\Password Vault Web Access\CredFiles
  • You will find user name in those two files.
  • use command at problem pvwa server to change password
  • update users' password in the vault

C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe appuser.ini
Vault Username [mandatory] ==> PVWAAppUser1
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==> PVWAAPP
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User/No) [No] ==> Machine
Command ended successfully

C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe gwuser.ini
Vault Username [mandatory] ==> PVWAGWUser1
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==>
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User/No) [No] ==> Machine
Command ended successfully

C:\Windows\system32>iisreset

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted

After rebooted both DR and main  PSM & PVWA servers, system finally got back into healthy status.


LDAP Log In without Entering Domain Name

To fix the UPN login username, do the following:
  1. Login to PVWA with an admin account
  2. Navigate to: Configuration options>LDAP integration>LDAP
  3. Change AddDomainToUserName to No
  4. Make sure it saves
NOTE: This will duplicate your user on the Vault (it will now be test1 instead of [email protected]). So now either delete your [email protected] user after making the change, or delete it before (it makes no difference).
NOTE2: You might lose any saved views or personal preferences, you will need to recreate.
You will need to do this for all existing users that have the full UPN, and they may now login with the SAMAccountName (test1 in your case).

You shouldn’t need to do anything else. Its best to do this now before you get a lot of users creating themselves in the Vault

To fix the secondary login through RDP proxy:
Firstly I should note its bad practice to save your credentials in RDCM, but you cant stop your users from doing it. However if they do, they should include the logon domain into the settings:
Username: test1
Password: *******
Domain: 51sec.org


If you use another format, it works to log you in to PSM, but the Vault expects the username only (not including the domain)

Change Windows Local Admin Account Denied

Error in changepass operation to user 172.2.1.12\tmpadmin on domain 172.2.1.12(\\172.2.1.12) with logon account. Reason: Access is denied. (winRc=5). Logon account details - Safe: Win-Logon-Reconcile-ISO, Folder: Root, Object: Operating System-WinSrvLocal-172.2.1.12-appadmin The CPM is trying to change this password because its status matches the following search criteria: ResetImmediately.

 Winrc=5 : This error typically happens when the account does not have permission to perform change. Does the user have permission to change its own password ?

SOLUTION:
1) On the target machine, log in as an administrator
2) Launch "Start" -> "Administrative Tools" -> "Local Security Policy"
3) Expand "Local Policies", then click "Security Options"
4) Double click on "User Account Control: Run all administrators in Admin Approval Mode"
5) Check the "Disabled" button
6) Click "Apply"
7) Reboot the system
Reference: https://cyberark-customers.force.com/s/article/00003277

Note: If you are using a local admin account as logon account , you will need to make this policy change. But if you are using domain admin account, this step is not necessary.


There is another workaround for this issue:
Go to platform , edit , right click Automatic Password Management, Additional Policy Settings , change ChangePasswordInResetMode from no to Yes.

This will enable change password behavour to be done by reconcile account. It is on platform level. You will have make sure your account has a reconcile account associate with it.





Change Win Account Password Failed 

Failed because the password does not meet the password policy requirements.

Error in changepass operation to user 172.2.1.12\tmpadmin on domain 172.2.1.12(\\172.2.1.12) with logon account. Reason: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (winRc=2245). Logon account details - Safe: Win-Logon-Reconcile-ISO, Folder: Root, Object: Operating System-WinSrvLocal-172.2.1.12-appadmin The CPM is trying to change this password because its status matches the following search criteria: ResetImmediately.

Winrc=2245: This error happens when there are restrictions like minimum password length, password complexity and password history requirements. In this scenario you could use a reconcile account which permission to reset target account in question. Basically you are using Recon account to reset password of other accounts.
For me, I am violating this minimum password age 1 days policy rule. I waited one day to test it again and it works.

PSM Session Failed Login - Username and Password is incorrect.

Using PVWA to connect to remote RDP servers, but failed log into PSM server before PSM can launch remote server's RDP session. It gives out an error "The username and password is incorrect".

This usually relates to PSM server's local accounts:
1. PSMCONNECT - for RDP session to log into PSM servers.
2. PSMADMINCONNECT - for auditor monitoring to use

The password for those two accounts might lost sync to the vault. You can just use PVWA to show password then copy it to PSM server local user. Basically it is to change PSM server's psmconnect and psmadminconnect account's password to match vault's password.

CACPM177E Error while creating extra passwords section - Safe not found.


Usually it is caused because there is no CPM server assigned for this Safe.





No comments

Subscribe to: Post Comments ( Atom )