Latest Posts

CyberArk PAS Solution Issues and Troubleshooting (PVWA, PSM, CPM)

This is my CyberArk learning post to record those issues I met during working on CyberArk PAS (Privileged Account Security) Solutions which including following modules:

  • PVWA (Password Vault Web Access)
  • PSM (Privileged Session Manager)
  • CPM (Central Policy Manager)

Some of them can be easily fixed by changing group policy. Some of them are relating RDS license.

Issue: This app has been blocked 

1. Using PSM SSH to connect to Remote Site but got an error

Issue: Network Level Authentication Disabled

2. NLA Enabled on PSM servers

You can use domain group policy to fix this.

Issue: RDS Installation - Collection Role failed to create

When install RDS role on PSM server, you might meet RDS Collection Role Creation Failed error.

Group Policy related. Move PSM servers out of regular Domain OU to a new OU without any group policy on it except default domain group policy.

Issue: Remote Desktop Licensing mode is not configured

RDS License issue
Remote Desktop Licensing mode is not configured. Remote Desktop Services will stop working in 123 days. On the RD Connection Broker server, use Server Manager to specify the Remote Desktop Server.

You will need to add license before it is expired.

Issue: SSH through PSM failed

Trying to a remote ssh through PSM, but got following failed message. RDP to same network's server was fine.

Cause and Solution:
It has been caused by global policy removed PSMShadowusers access locally.

Issue: RDP Remote through PSM failed using local admin account

Trying to log in remote server through PSM using local admin account, failed with following error.

It is network connectivity issue between PSM and Remote Destination. If you met this error, try to RDP directly from PSM server to see if you will meet this issue or not.

Issue: CyberArk System Health Dashboard 

It is relating to DR replication error. here is log found from active Vault server. Log can be found from this file: C:\Program Files (x86)\PrivateArk\Server\Logs\italog.log

Note: Server is PVWA

Issue can be fixed based on CyberArk Article:
PVWA – How to create / update credential files for PVWA manually?

for problem psm server:

  • check username in psmapp.cred and psmgw.cred 
  • use command at problem psm server to change password
  • update users' password in the vault

same process for pvwa server users.

  • check appuser.ini and gwuser.ini under folder : C:\CyberArk\Password Vault Web Access\CredFiles
  • You will find user name in those two files.
  • use command at problem pvwa server to change password
  • update users' password in the vault

No comments