Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Issue with Onprem windows bootstrap process - Account is not PAM enabled

Nishanth
New Contributor III
New Contributor III

1. windows Master account connected created - tested the master credential directly by taking RDP to machine - password is fine.

2. All perquisites are complted in the target machine as per windows connector document in freshdesk.

Below is the issue:

We configured all perquisites,  After we ran the onprem discovery job we see the connection for windows got created and new security system and endpoint created and priv. accounts which we mentioned in the onprem connection > PAM_config are become firefighterID but when we check those account under the account config those accounts are not PAM enabled. And we checked the pending task it seems like password change tasks are pending and in logs it shows like authorization error, so it seems like master password was changed by CPAM during the process, to confirm that we tried to login to windows machine using the master account with old password it shows incorrect password.   

to troubleshoot  this further we disconnected the pending tasks, and we tried to set "changeConnectionCredentials": false,  in PAM_config and ran the bootstrap job, this time still the priv. accounts are not PAM enabled, when we checking the pending task, those accounts are strcuk in the password change task, but it not moved to comleted state, but when we check the test connection to the windows it was successfull... 

Could you pls some one help to fix this issue?

 

 

 

11 REPLIES 11

NageshK
Saviynt Employee
Saviynt Employee

@Nishanth Thanks for posting your issue. Based on the logs attached, it appears "save and test" on your specific windows connection has failed. However, you mentioned that the connection test is successful. Please clarify which connection is succeeding. And does your windows master connection and the specific windows connection have the same ips in them?

Thanks,

Nagesh K

Saathvik
All-Star
All-Star

Do you see change password task created for Master account? if so is it successful? I assume it is also in failed state?

We had similar issue in older version as part of bootstrap it tries to rotate master account but it marks as failure and we got same error message. On troubleshooting we realized that on target it use to update the password with new credentials but somehow it gets unsuccessful response and hence it won't mark the task as complete as a result it won't store the new credentials it tried to set in to Saviynt.

Because of this subsequent actions use to fail. And this use to happen only for Windows machines.

Looks like you are also falling in to same trap based on issue description and logs. 

In case if you master account credential rotation is successful then your issue might be different.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Nishanth
New Contributor III
New Contributor III

Master account password change task also in pending state.

Nishanth
New Contributor III
New Contributor III

But when we try login with old password directly to windows via rdp it's not working.. So it's changing the master account password but it's not updating it in cpam? We are using v23. 3... How we can fix this issue? 

Yes it will change the password on target but somehow it gets unsuccess response or it treats this is as failure for some reason and won't update it in Saviynt. But in that scenario you will see master account change password task in failed state. Is it in failed state in your case as well for master account?

I thought it is fixed in latest version. But not sure. Only way to fix is to reset the master account  credentials on that particular target and update the connection with latest credentials and try again


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Never mind I saw your post confirming that master account password task is also in pending state. So mostly likely you are facing the same issue I reported. Also I would suggest to open an FD ticket so that support can take a look in to it deeper and if necessary they will open a JIRA if they identifies this as bug


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

@Saathvik we have not seen the issue you described in versions later than 2020.1.0

@Nishanth please confirm which connection's "save and test" worked fine after the bootstrap. Also, do you see two change pwd tasks created for the master account where one is successful and other failed? And finally, are the IPs mentioned in your master windows connection and the individual windows connection the same?

Thanks

Nagesh K

@NageshK : Thanks for confirming


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Nishanth
New Contributor III
New Contributor III

Hi Nagesh, I added two methods that we tried, when we trying for the second  time set "changeConnectionCredentials": false,  in PAM_config and ran the bootstrap job, at the time we tested the connection with actual IP, that was successfull.

This issue was fixed currently after raising support ticket, problem is change password task was missing from Task Execution Hierarchy > as suggested by the support engineer we tried to remove all the existing task from Task Execution Hierarchy and did blank save, after that we see Tasktype_Default.label was added by saviynt itself, after that the password change issue was fixed.

@Nishanth : Thanks for providing the update. But still I don't understand why your connection is getting failed even though change password task is in pending state for master account. Anyway as long as you are able to fix that's good.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

@Nishanth Thanks for the update. Yes, task execution hierarchy should be left blank so that all tasks will be considered for execution