Saviynt Forums

gazanjum · ‎11/03/2023

Hi All,

I have configured the periodic password rotation for our AzureAD Endpoint. Below are the steps that I followed:

1. JAR uploaded

2.secret retrieved and uploaded to File Directory-->Datafiles

3.created a Run Time Analytics specifically for our endpoint and credential-less account:

SELECT ac.ACCOUNTKEY AS 'AK', ac.accountid AS 'accountid', ac.NAME AS NAME, ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF( ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON) ), DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE) ) ) AS 'Total_No_DaysLastRotation', IF( INSTR( ec.credentialchangeconfig, ac.ACCOUNTKEY ) > 0, 'Master', 'Shareable' ) AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY = 1 AND ac.status IN (1, 'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ( ( ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account' ) AND ac.ACCOUNTCONFIG LIKE '%pamState":"ENABLED","pamType":"CREDENTIALLESS%' ) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY = 1 AND epp.PAM_STATE = 'ENABLED' INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY = ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey;

4.Change the 'Expire In' field in Password Policy to 1 Day

4.created an INVOKEJAR job and added the arguments. The argument had the name of the Analytics created in previous step. {"applicationurl":"https://URL/","passwordrotation_analyticcontrol":"AzureADMember_Credential-less","filepath":"/saviynt_shared/saviynt/Import/Datafiles/XYZ_CipherDataFile.csv","managePlatformServiceAccount":"true"}

5.scheduled the job

Issue: Even if the job is successfully running, the password is not getting rotated for credential-less accounts. I checked the same in Total_No_DaysLastRotation, and there is no change.

This was last tested in Dev environment in Jan 2023 and seemed to be working fine for version 2021. Could you please help here.

NageshK · ‎11/06/2023

@gazanjum Thanks for posting your question. Here are few things to check:

When you execute your analytic query what is the output you see?
Does the password policy associated to the endpoint have regex defined?
Please capture logs from jobs service when you triggered the job and share them

Thanks

Nagesh K

gazanjum · ‎11/07/2023

HI Nagesh,

When you execute your analytic query what is the output you see?

SELECT ac.ACCOUNTKEY AS 'AK', ac.accountid AS 'accountid', ac.NAME AS NAME, ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF( ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON) ), DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE) ) ) AS 'Total_No_DaysLastRotation', IF( INSTR( ec.credentialchangeconfig, ac.ACCOUNTKEY ) > 0, 'Master', 'Shareable' ) AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY = 1 AND ac.status IN (1, 'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ( ( ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account' ) AND ac.ACCOUNTCONFIG LIKE '%pamState":"ENABLED","pamType":"CREDENTIALLESS%' ) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY = 1 AND epp.PAM_STATE = 'ENABLED' INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY = ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey;

When I run the above analytics, it shows the credential-less accounts id, name, endpointname, systemname, expire in, Total_No_DaysLastRotation, credentialtype and platform

2. Does the password policy associated to the endpoint have regex defined?Yes, the regex has, the characters and the max and min length.

3.Please capture logs from jobs service when you triggered the job and share them

Are you referring to the job history:

Regards

Gazala

NageshK · ‎11/08/2023

@gazanjum Thanks for sharing the details. I was actually asking for the output of the analytic control execution. When the control gets executed, do you see any records showing up? If yes, please share that output.

For capturing the logs, please see the "using advanced logging" section of this article. This was discussed in the enablement sessions too.

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter07-General-Administrator/Man...

Thanks

Nagesh K

gazanjum · ‎11/09/2023

HI Nagesh,

I do not think that when the job runs it is executing the Analytics query as there is no action that happens.

I might have misunderstood when you mentioned output, will share the logs.

Regards

Gazala

gazanjum · ‎11/13/2023

Hi Nagesh,

Please find the attached screenshot of the logs.

Regards

Gazala

gazanjum · ‎11/16/2023

@NageshK Could you please help here.

Regards

Gazala

gazanjum · ‎11/21/2023

@NageshK Could you please help here.

Regards

Gazala

Saviynt Forums

Issue with Periodic Password Rotation - Password not getting rotated for credential-less accounts