Latest Posts

CyberArk PAS Configuration Issues and Troubleshooting (CPM)

Collected some issues I met during working on CPM.
  • Safe not found
  • CPM Password Rotating Policy Not Working
  • CPM Change Password Failed
  • Use Reconcile Account to Change Password

Related posts:

Safe not found

CACPM177E Error while creating extra passwords section -Safe not found

Usually it is caused because there is no CPM server assigned for this Safe.

Master Policy Rotating Password Not Working

Master Policy has set "Require password change every X days", but the password was not changed automatically. The platform also need to set PerformPeriodicChange to Yes.
same thing on verification. 

Here are some settings for daily rotation at assigned time:
1. created exception on master policy to let the password expire every 2 days and set HeadStartInterval value to 1 day. So CPM can change password everyday. 2. set PasswordChange-> ExecutionDays-> Sun,Mon,Tue,Wed,Thu,Fri,Sat 3. set PerformPeriodicChange to yes 4. set FromHour to 1 hour (1:00 AM) 
5. set ToHour to 3 hour (3:00AM)
 6. set interval to 59 minutes ((Range in minutes [ToHour-FromHour] / 2) -1)



Or based on kb : https://cyberark-customers.force.com/s/article/CPM-Password-Not-Rotating-Daily
The password should change between the hours of 23:00 and 24:00, daily. The Master policy "Require password change every X day" is set to 1 day.
1. HeadStartInterval
- This should be less than the ExpirationPeriod / Require password change every X days. In the example of the password rotating daily, this should be set to 0.
2. PerformPeriodicChange
- As this allows the account to be managed by the Master Policy "Require password change every X days". In the example where "Require password change every X days" is set to 1, this should be set to Yes.
3. Interval (The number of minutes that the Central Policy Manager waits between running periodic searches for the platform. Default is 1440 minutes = 24 hours)
- To help facilitate the change happening, we typically recommend using the formula of ((window/2)-1). In the example where 'FromHour'=23 and 'ToHour'=24 (1-hour window or 60 minutes), then the 'Interval' setting for that policy file should be ((window/2)-1) which is ((60 minutes/2)-1) = (30-1) = 29. The Interval should be set to 29.



CPM Change Password Failed

ExpirationPeriod
Failure Description: Error in changepass to user 51sec.org\testAdmin on domain 51sec.org(\\51secSRV11).(winRc=2245) The password does not meet the password policy requirements
Check the minimum password length
password complexity and password history requirements
CPM



Group policy limited password minimum change time is 24 hours.


Use Reconcile Account to Change Password

Is there a way for cpm password change process to use reconcile account to change password?

Answer: Yes it can. If you talk about windows account then you need to set the parameter Changepassword in reset mode to yes. I don’t think you need to set any parameter for Linux account.



No comments