04/13/2023 09:40 PM
Hi -
Trying to get change password functionality working for existing Active Directory accounts. I have configured RESETANDCHANGEPASSWRDJSON as follows:
{
"RESET": {
"pwdLastSet": "-1",
"lockoutTime": 0,
"title": "password reset",
"pwdReset": "true",
"UnicodePwd": "${account_password}"
},
"CHANGE": {
"pwdLastSet": "-1",
"lockoutTime": 0,
"title": "password changed",
"pwdReset": "true",
"UnicodePwd": "${account_password}"
}
}
I'm able to generate the task and it "completes" successfully. I am able to confirm via email that Saviynt is generating a password, but the account password in AD is never updated. There is no error in provisioning. Here is an excerpt of the logs and I did notice something strange. It mentions on the task that the endpoint has rotateKey disabled hence skipping rotate password. However, that is referring to a CPAM config. This function is not CPAM related at all.. this is just a regular user account in AD. Any ideas? See log below:
082 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - taskList: [com.saviynt.ecm.task.ArsTasks : 230792]\n" |
086 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - task: ACCOUNTNAMEREMOVED\n" |
087 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - in if\n" |
090 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - objct found = null\n" |
171 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - inserted 1 record in P_History table\n" |
175 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - accounts total records get - 3 and totalLastPassword = 2\n" |
175 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - deleting entries more than the lastpassword value |
175 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - deleting phistory entry with id - 57\n" |
179 [quartzScheduler_Worker-5] DEBUG utility.P_ManagementService - exit executeP_History\n" |
187 [quartzScheduler_Worker-5] DEBUG services.ArsTaskHelperService - Validating tasks for Securitysystem - Active_Directory_Test\n" |
188 [quartzScheduler_Worker-5] DEBUG services.ArsTaskHelperService - accountName = ACCOUNTNAMEREMOVED |
199 [quartzScheduler_Worker-5] DEBUG pam.PamService - inside convertJsonStringToMap\n" |
199 [quartzScheduler_Worker-5] DEBUG pam.PamService - rotateKey - false\n" |
202 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Inside updateProvisioningTries..\n" |
208 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Enter completePasswordTasks\n" |
214 [quartzScheduler_Worker-5] DEBUG pam.PamService - inside convertJsonStringToMap\n" |
214 [quartzScheduler_Worker-5] DEBUG pam.PamService - rotateKey - false\n" |
223 [quartzScheduler_Worker-5] DEBUG pam.PamService - inside convertJsonStringToMap\n" |
223 [quartzScheduler_Worker-5] DEBUG pam.PamService - Error while converting JsonStringToMap\n" |
223 [quartzScheduler_Worker-5] DEBUG pam.PamService - Account PAM Type : null\n" |
224 [quartzScheduler_Worker-5] DEBUG services.ExternalConnectionService - credentialChangeConfig NOT found in connection : Active_Directory_Test\n" |
227 [quartzScheduler_Worker-5] DEBUG pam.PamService - hasPAMEndpointAssociation - false\n" |
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Going to complete Task\n" |
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Completing task 230792\n" |
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - updateDate 2023-04-14 03:46:47.0\n" |
229 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Endpoint Active_Directory_Test has rotateKey disabled hence skipping rotate password.\n" |
238 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - updateDate after updation of task Fri Apr 14 03:47:39 UTC 2023\n" |
238 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Exit completePasswordTasks\n" |
240 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Config for ARSTASKCOMPNEWPWDcom.saviynt.ecm.utility.domain.EcmConfig : ARSTASKCOMPNEWPWD\n" |
241 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - Task Complete Email Template For New Account Password = null\n" |
241 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - start converting accTasksMap to endpointaccTasksMap\n" |
243 [quartzScheduler_Worker-5] DEBUG services.ArsTaskService - finished converting accTasksMap to endpointaccTasksMap\n" |
Solved! Go to Solution.
04/14/2023 01:47 PM
@BrandonLucas_BF we are analyzing this question and will provide response shortly
04/17/2023 06:08 AM
Hi, providing an update. I did further testing and discovered that there is in fact some kind of connection to CPAM functionality.
I discovered on the endpoint in question (AD) that under PAM Attributes, PAM Enabled was set to OFF. However, there was a configuration value in place that included "rotateKey":"false".
I changed the PAM Attributes configuration field to the following:
{"maxSessionWarnPeriodInSec":null,"maxReqExpWarnPeriodInSec":null,"maxSessionLimitInSec":null,"maxConcurrentSession":"50","maxInActiveTimeInSec":null,"maxInActiveWarnPeriodInSec":null}
I also made the endpoint PAM Enabled. This allowed the testing to progress further, but revealed I had some issues with the RESETANDCHANGEPASSWRDJSON. I adjusted that to the following: