Comments

Latest Posts

CyberArk PAS Configuration Issues and Troubleshooting (PVWA)

This is my CyberArk troubleshooting post to record those issues I met during working on CyberArk PAS (Privileged Account Security) Solutions including following modules: PVWA (Password Vault Web Access), PSM (Privileged Session Manager), CPM (Central Policy Manager).
  • PVWA:Reports Fail When Run As Administrator
  • CyberArk System Health Dashboard
  • LDAP Log In without Entering Domain Name
  • Change Windows Local Admin Account Denied
  • Change Win Account Password Failed
  • PVWA login : Your session has expired
  • Error with Network Level Authentication and CredSSP encryption oracle remediation
  • ITATS450E Owner xyz is the quota Owner of Safe
  • PVWA Prompted to Change Password
  • A potentially dangerous value was detected from the client

Reports Fail When Run As Administrator

Logged in PVWA as built-in administrator user, but got a failed notification when running a report.

You can find error "impersonate for administrator is not allowed." from Vault Server Consle. Or related logs in Vault log file:

CASW024E Failed in Internal Impersonate for user [Administrator]. Reason: ITATS968E Impersonation is not allowed for User Administrator.

PROBLEM:
This is a known limitation with the Password Vault Web Access report engine.
SOLUTION:
Connect to the PVWA as a user other than Administrator to run reports.


CyberArk System Health Dashboard 




It is relating to DR replication error. here is log found from active Vault server. Log can be found from this file: C:\Program Files (x86)\PrivateArk\Server\Logs\italog.log

Note: Server 192.23.1.25 is PVWA

Issue can be fixed based on CyberArk Article:
PVWA – How to create / update credential files for PVWA manually?

for problem psm server:
  • check username in psmapp.cred and psmgw.cred 
  • use command at problem psm server to change password
  • update users' password in the vault

same process for pvwa server users.
  • check appuser.ini and gwuser.ini under folder : C:\CyberArk\Password Vault Web Access\CredFiles
  • You will find user name in those two files.
  • use command at problem pvwa server to change password
  • update users' password in the vault

C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe appuser.ini
Vault Username [mandatory] ==> PVWAAppUser1
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==> PVWAAPP
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User/No) [No] ==> Machine
Command ended successfully

C:\CyberArk\Password Vault Web Access\Env>CreateCredFile.exe gwuser.ini
Vault Username [mandatory] ==> PVWAGWUser1
Vault Password (will be encrypted in credential file) ==> *********
Disable wait for DR synchronization before allowing password change (yes/no) [No] ==>
External Authentication Facility (LDAP/Radius/No) [No] ==>
Restrict to Application Type [optional] ==>
Restrict to Executable Path [optional] ==>
Restrict to current machine IP (yes/no) [No] ==>
Restrict to current machine hostname (yes/no) [No] ==>
Restrict to OS User name [optional] ==>
Display Restrictions in output file (yes/no) [No] ==>
Use Operating System Protected Storage for credentials file secret (Machine/User/No) [No] ==> Machine
Command ended successfully
C:\Windows\system32>iisreset

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted



After rebooted both DR and main  PSM & PVWA servers, system finally got back into healthy status.


LDAP Log In without Entering Domain Name

To fix the UPN login username, do the following:
  1. Login to PVWA with an admin account
  2. Navigate to: Configuration options>LDAP integration>LDAP
  3. Change AddDomainToUserName to No
  4. Make sure it saves
NOTE: This will duplicate your user on the Vault (it will now be test1 instead of [email protected]). So now either delete your test1@ user after making the change, or delete it before (it makes no difference).
NOTE2: You might lose any saved views or personal preferences, you will need to recreate.
You will need to do this for all existing users that have the full UPN, and they may now login with the SAMAccountName (test1 in your case).

You shouldn’t need to do anything else. Its best to do this now before you get a lot of users creating themselves in the Vault

To fix the secondary login through RDP proxy:
Firstly I should note its bad practice to save your credentials in RDCM, but you cant stop your users from doing it. However if they do, they should include the logon domain into the settings:
Username: test1
Password: *******
Domain: 51sec.org


If you use another format, it works to log you in to PSM, but the Vault expects the username only (not including the domain)

Change Windows Local Admin Account Denied

Error in changepass operation to user 172.2.1.12\tmpadmin on domain 172.2.1.12(\\172.2.1.12) with logon account. Reason: Access is denied. (winRc=5). Logon account details - Safe: Win-Logon-Reconcile-ISO, Folder: Root, Object: Operating System-WinSrvLocal-172.2.1.12-appadmin The CPM is trying to change this password because its status matches the following search criteria: ResetImmediately.

Winrc=5 : This error typically happens when the account does not have permission to perform change. Does the user have permission to change its own password ?

SOLUTION:

1) On the target machine, log in as an administrator
2) Launch "Start" -> "Administrative Tools" -> "Local Security Policy"
3) Expand "Local Policies", then click "Security Options"
4) Double click on "User Account Control: Run all administrators in Admin Approval Mode"
5) Check the "Disabled" button
6) Click "Apply"
7) Reboot the system
Reference: https://cyberark-customers.force.com/s/article/00003277

Note: If you are using a local admin account as logon account , you will need to make this policy change. But if you are using domain admin account, this step is not necessary.


There is another workaround for this issue:
Go to platform , edit , right click Automatic Password Management, Additional Policy Settings , change ChangePasswordInResetMode from no to Yes.

This will enable change password behavour to be done by reconcile account. It is on platform level. You will have make sure your account has a reconcile account associate with it.


Change Win Account Password Failed 

Failed because the password does not meet the password policy requirements.

Error in changepass operation to user 172.2.1.12\tmpadmin on domain 172.2.1.12(\\172.2.1.12) with logon account. Reason: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (winRc=2245). Logon account details - Safe: Win-Logon-Reconcile-ISO, Folder: Root, Object: Operating System-WinSrvLocal-172.2.1.12-appadmin The CPM is trying to change this password because its status matches the following search criteria: ResetImmediately.

Winrc=2245: This error happens when there are restrictions like minimum password length, password complexity and password history requirements. In this scenario you could use a reconcile account which permission to reset target account in question. Basically you are using Recon account to reset password of other accounts.
For me, I am violating this minimum password age 1 days policy rule. I waited one day to test it again and it works.



PVWA login : Your session has expired

Tried to log in PVWA and got this error. Tried a different account and still same.

Solution is simple, iisreset on PVWA server.



ITATS450E Owner xyz is the quota Owner of Safe

Sometims, you will have a problem to remove a safe member which is safe's quota owner.

https://cyberark-customers.force.com/s/article/00000991
PROBLEM:
Any user who creates a safe is the Safe's quota owner and cannot be removed unless another user with appropriate permission (Administer Safe and Manage Safe Owners) takes the Safe's quota ownership.

SOLUTION:
1. Log on with a user who has Administer Safe and Manage Safe Owners authorization on that Safe
2. Go to Safe | Properties and check the "Take Safe quota to my account" box on the General tab
3. Remove the previous quota owner from the list of Safe owners

PVWA Prompted to Change LDAP Login Password

Once you logged in PVWA using LDAP or other non-CyberArk authentication method, it might notify you to change password. 
CyberArk will check your LDAP login's expiration date and by default, if it found it will expire in 7 days, it will ask you to change it.

The settings are in following page. It is at Options -> Authentication Methods -> Generalsettings ->AllowPasswordChangeInNonCyberArkAuth 
The AllowPasswordChangeInNonCyberArkAuth parameter determines whether or not users who are logged on with LDAP authentication will be able to change their passwords.

The PasswordExpirationNotificationDays defines the number of days before the password expires that the user will be notified (relevant only for CyberArk authentication). To cancel this notification, specify -1.



A Potentially Dangerous Value was Detected

I got this error message today during adding a safe into CyberArk through PVWA. 

It was caused by the special character enter in the safe description. There was an email address with right angle bracket and left angle bracket. Once I removed right and left angle bracket, this error went away.




Limit Platforms to Specific Safes






6 comments:

  1. Very nice material, thank you netsec

    ReplyDelete
  2. How can I add a hyperlink on the PVWA page?

    ReplyDelete
  3. Hi! Nice page with lots of tips!

    I'm facig the problem "Change Windows Local Admin Account Denied", but the solution recommended didn't work for me.

    The "User Account Control: Run all administrators in Admin Approval Mode".

    Any other ideas?

    ReplyDelete
  4. Y R Brilliant


    help me in this TATS527E User or Group pvwaappuser has not been defined

    ReplyDelete
  5. The administrator migrated a domain account in Active Directory from one OU to another OU.
    Now the user cannot connect to the PVWA web console.
    Was \_Users\Contractors\Migration
    Became \_Users\Contractors\people

    User gets an error when connecting
    ITATS350E Location is already defined.

    Logs PVWA:
    4 Running PASVC [PASVCFullImpersonateEx] (control socket [0]) data socket [0], IP [10.7.33.252] (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,297 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Done PASVC [PASVCFullImpersonateEx] Rc = -1 (Duration=148 ms). (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 ERROR [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 ITATS350E Location \_Users\Contractors\people is already defined. (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 ERROR [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 ITATS350E Location \_Users\Contractors\people is already defined. (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Cannot logon to Master (Active-Passive) Vault. (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Casos Session Request[LogonAs] ended. [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 CASW084D Error in DoLogonAs. Error [ITATS350E Location is already defined.] []
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Casos SessionFactory Request: DeleteSession [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Session ended 0. (Vault [CAMainVault] user [[email protected]]) [Casos]

    The user's account is in \, not in a specific OU in Vault. If you manually create an account in that ou, then the user connects. Is it possible to somehow fix or replace it with the mapping user, otherwise the Vault user is created

    Please help either how to fix the account in Vault or how to fix this error

    ReplyDelete
  6. The administrator migrated a domain account in Active Directory from one OU to another OU.
    Now the user cannot connect to the PVWA web console.
    Was \_Users\Contractors\Migration
    Became \_Users\Contractors\people

    User gets an error when connecting
    ITATS350E Location is already defined.

    Logs PVWA:
    4 Running PASVC [PASVCFullImpersonateEx] (control socket [0]) data socket [0], IP [10.7.33.252] (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,297 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Done PASVC [PASVCFullImpersonateEx] Rc = -1 (Duration=148 ms). (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 ERROR [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 ITATS350E Location \_Users\Contractors\people is already defined. (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 ERROR [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 ITATS350E Location \_Users\Contractors\people is already defined. (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Cannot logon to Master (Active-Passive) Vault. (Vault [CAMainVault] user [[email protected]]) [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Casos Session Request[LogonAs] ended. [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 CASW084D Error in DoLogonAs. Error [ITATS350E Location is already defined.] []
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Casos SessionFactory Request: DeleteSession [Casos]
    2023-02-21 15:46:10,312 DEBUG [34] 473e4589-ccc9-4501-a8f4-0d4da25d3774 Session ended 0. (Vault [CAMainVault] user [[email protected]]) [Casos]

    The user's account is in \, not in a specific OU in Vault. If you manually create an account in that ou, then the user connects. Is it possible to somehow fix or replace it with the mapping user, otherwise the Vault user is created

    Please help either how to fix the account in Vault or how to fix this error

    ReplyDelete