Click HERE to see how Saviynt Intelligence is transforming the industry. |
11/03/2023 05:02 AM
Hi All,
I have configured the periodic password rotation for our AzureAD Endpoint. Below are the steps that I followed:
1. JAR uploaded
2.secret retrieved and uploaded to File Directory-->Datafiles
3.created a Run Time Analytics specifically for our endpoint and credential-less account:
SELECT ac.ACCOUNTKEY AS 'AK', ac.accountid AS 'accountid', ac.NAME AS NAME, ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF( ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON) ), DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE) ) ) AS 'Total_No_DaysLastRotation', IF( INSTR( ec.credentialchangeconfig, ac.ACCOUNTKEY ) > 0, 'Master', 'Shareable' ) AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY = 1 AND ac.status IN (1, 'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ( ( ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account' ) AND ac.ACCOUNTCONFIG LIKE '%pamState":"ENABLED","pamType":"CREDENTIALLESS%' ) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY = 1 AND epp.PAM_STATE = 'ENABLED' INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY = ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey;
4.Change the 'Expire In' field in Password Policy to 1 Day
4.created an INVOKEJAR job and added the arguments. The argument had the name of the Analytics created in previous step. {"applicationurl":"https://URL/","passwordrotation_analyticcontrol":"AzureADMember_Credential-less","filepath":"/saviynt_shared/saviynt/Import/Datafiles/XYZ_CipherDataFile.csv","managePlatformServiceAccount":"true"}
5.scheduled the job
Issue: Even if the job is successfully running, the password is not getting rotated for credential-less accounts. I checked the same in Total_No_DaysLastRotation, and there is no change.
This was last tested in Dev environment in Jan 2023 and seemed to be working fine for version 2021. Could you please help here.
11/06/2023 06:48 AM
@gazanjum Thanks for posting your question. Here are few things to check:
Thanks
Nagesh K
11/07/2023 07:36 AM
HI Nagesh,
SELECT ac.ACCOUNTKEY AS 'AK', ac.accountid AS 'accountid', ac.NAME AS NAME, ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF( ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON) ), DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE) ) ) AS 'Total_No_DaysLastRotation', IF( INSTR( ec.credentialchangeconfig, ac.ACCOUNTKEY ) > 0, 'Master', 'Shareable' ) AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY = 1 AND ac.status IN (1, 'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ( ( ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account' ) AND ac.ACCOUNTCONFIG LIKE '%pamState":"ENABLED","pamType":"CREDENTIALLESS%' ) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY = 1 AND epp.PAM_STATE = 'ENABLED' INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY = ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey;
When I run the above analytics, it shows the credential-less accounts id, name, endpointname, systemname, expire in, Total_No_DaysLastRotation, credentialtype and platform
2. Does the password policy associated to the endpoint have regex defined?Yes, the regex has, the characters and the max and min length.
3.Please capture logs from jobs service when you triggered the job and share them
Are you referring to the job history:
Regards
Gazala
11/08/2023 01:21 PM
@gazanjum Thanks for sharing the details. I was actually asking for the output of the analytic control execution. When the control gets executed, do you see any records showing up? If yes, please share that output.
For capturing the logs, please see the "using advanced logging" section of this article. This was discussed in the enablement sessions too.
https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter07-General-Administrator/Man...
Thanks
Nagesh K
11/09/2023 10:18 PM
HI Nagesh,
I do not think that when the job runs it is executing the Analytics query as there is no action that happens.
I might have misunderstood when you mentioned output, will share the logs.
Regards
Gazala
11/13/2023 04:51 AM - edited 11/13/2023 04:52 AM
Hi Nagesh,
Please find the attached screenshot of the logs.
Regards
Gazala
11/16/2023 06:20 AM
11/21/2023 10:40 AM