Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

On-Prem Windows master account password change

Pooja
New Contributor II
New Contributor II

‎07/14/2023 12:04 AM - edited ‎07/14/2023 12:06 AM

Hi all,

During bootstrap process master account password changed first time so, Is that possible to schedule change password for master accounts on periodic basis? If so can you please let me know the process.

Labels:
0 Kudos
16 REPLIES 16

vikasjv
Saviynt Employee
Saviynt Employee

‎07/17/2023 03:38 AM - edited ‎07/19/2023 03:19 AM

Hi @Pooja,
Thanks for posting your question.
Yes we can rotate the master account password periodically.
Please refer to the below article for the same.
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/G-Password-Management/Period...


Regards,
Vikas J V

If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

0 Kudos

Pooja
New Contributor II
New Contributor II
In response to vikasjv

‎07/24/2023 03:03 AM

Hi 

we have tried to run analytics(PAMEnabledAndPlatformServiceAccount) but it's not showing any master account from the connector instead it shows only firefighter ID which is credential and credential-less, the accounts we configured.

Can you please help how to make master account to be eligible for password rotation?.

0 Kudos

vikasjv
Saviynt Employee
Saviynt Employee
In response to Pooja

‎07/24/2023 03:10 AM

Hi @Pooja ,


Please make sure that "changeConnectionCredentials": true in the Pam config and then configure the periodic password rotation jar and then it will rotate.
Please refer below article for the same.
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/G-Password-Management/Period...


Regards,
Vikas J V

If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

0 Kudos

Pooja
New Contributor II
New Contributor II
In response to vikasjv

‎07/24/2023 05:03 AM - edited ‎07/24/2023 05:17 AM

Hi @vikasjv 

Yes we have changeConnectionCredentials": true in the Pam config and during the intial bootstrap the password is changing - we see the password change task was generated and completed.

We have uploaded the Jar and made the required config of Password rotaion Job but the problem is that the after running the job the job was successfull but the password rotation task is not generating for both master account as well as shared accounts.

And when we tried to run the analytics PAMEnabledAndPlatformServiceAccount we are able to see only the shared (firefighterID) not any master account.

Also in the connection Enable_Service_Account_Management was set to TRUE

 

0 Kudos

anitha_swapna
Saviynt Employee
Saviynt Employee

‎07/17/2023 07:15 AM - edited ‎07/17/2023 07:36 AM

Hi @Pooja , 

Thanks for reaching out. You may also refer to the following article in documentation portal with all the steps involved regarding Configuring PAM for On-Premises - Configuring PAM for On-Premises Workloads (saviyntcloud.com)

Regards,

Anitha.

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎07/24/2023 07:46 AM

@Pooja Has the out of the box control PAMEnabledAndPlatformServiceAccount been modified in any way in your environment? Also, when you execute the control, do you see any row where the credentialType value is shown as 'Master'? 

Also, please note the "Total_No_DaysLastRotation" and "expire after" values. Change password task will get triggered only for the accounts where "Total_No_DaysLastRotation" is greater than "expire after". 

Finally, please share the query you have in the control PAMEnabledAndPlatformServiceAccount

Thanks,

Nagesh K

0 Kudos

Pooja
New Contributor II
New Contributor II

‎07/24/2023 10:44 AM - edited ‎07/24/2023 10:46 AM

Hi @NageshK   Thanks for your response, Out of the box control was not modified, and when i execute the control i don't see any value credentialtype as master. only sharable accounts are showing.

 

SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid', ac.NAME AS NAME,ac.accounttype AS accounttype,ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY AND ac.status IN (1,'Manually Provisioned') AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL) AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account') AND ac.ACCOUNTCONFIG LIKE '%ENABLED%') INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',IF(ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY inner join account_attributes accatt on accatt.ACCOUNTKEY = ac.ACCOUNTKEY and accatt.ATTRIBUTE_NAME = 'PRINCIPALSOURCE' AND ac.status IN (1,2,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ac.accounttype = 'Platform Service Account' AND (((ac.ACCOUNTCONFIG NOT LIKE '%ENABLED%' OR ac.ACCOUNTCONFIG IS NULL) AND accatt.ATTRIBUTE_VALUE = 'ActiveDirectory') OR (accatt.ATTRIBUTE_VALUE = 'Local')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT distinct ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER,epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN account_attributes acc_attr ON ac.accountkey = acc_attr.accountkey AND acc_attr.attribute_name = 'MEMBER_ENDPOINTKEY' INNER JOIN endpoints ep ON ac.ENDPOINTKEY = ep.endpointkey INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey WHERE ac.status IN (1,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG is NULL ) AND ( ac.accounttype = 'Platform Service Account' OR ac.ACCOUNTCONFIG LIKE '%ENABLED%' );

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎07/24/2023 03:26 PM

@Pooja Thanks for sharing the query. Yes, this is not bringing in the master accounts. We may probably have to use another analytic control for handling master accounts. I will get back with an appropriate query for that. 

Thanks,

Nagesh K

0 Kudos

Pooja
New Contributor II
New Contributor II

‎07/27/2023 05:17 AM

Hi @NageshK we tried to modify the query and getting this error, so we tried to duplicate the PAMEnabledAndPlatformServiceAccount and changed the name in the new query and used the existing one from PAMEnabledAndPlatformServiceAccount still getting same issue, but we are not able to see this in our POC env, can you pls help with this 

 

Pooja_0-1690460118916.png

 

0 Kudos

Pooja
New Contributor II
New Contributor II

‎07/27/2023 06:03 AM - edited ‎07/27/2023 06:23 AM

In POC env (2022.0) we see options version 1 and version 2 , so we where able to create it under version 1.  in version 23.7 we are not able to see this option and also getting above error, we also have enabled allow v1 based runtime controls enabled in global config . can you pls help to how to create this.  

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎07/27/2023 06:57 AM

@Pooja I'm not able to replicate this issue. Do you have an escape character (\) before the $ in your query like below?

epp.PAMCONFIG ->> '\$.rotateKey' != 'false' 

Thanks,

Nagesh K

0 Kudos

Nishanth
New Contributor III
New Contributor III

‎07/27/2023 07:12 AM

@NageshK  As discussed, the preview was working fine, but while creating the analytics we are gettign this error, same issue even with the ootb query.

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎08/01/2023 03:28 PM

@Nishanth Have you opened FD ticket as discussed? This is a bug. 

Thanks

Nagesh K

0 Kudos

Nishanth
New Contributor III
New Contributor III

‎08/07/2023 09:22 PM

we are able to create the analytics after replacing epp.PAMCONFIG ->> '\$.rotateKey' != 'false'  with epp.PAMCONFIG NOT LIKE '%rotateKey%false'   

0 Kudos

Nishanth
New Contributor III
New Contributor III

‎08/07/2023 09:27 PM

@NageshK  password rotation is not working, job was success and its not creating any task to change the password, and in log we see its executing password rotation job and without rotating the password of due accounts.

0 Kudos

02930232
New Contributor
New Contributor

‎12/11/2023 01:38 AM

SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid', ac.NAME AS NAME,ac.accounttype AS accounttype,ep.ENDPOINTNAME AS 'EndpointName', ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY AND ac.status IN (1,'Manually Provisioned') AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL) AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG like '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',IF(ac.LASTPASSWORDCHANGE IS NULL, DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY inner join account_attributes accatt on accatt.ACCOUNTKEY = ac.ACCOUNTKEY and accatt.ATTRIBUTE_NAME = 'PRINCIPALSOURCE' AND ac.status IN (1,2,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL ) AND ac.accounttype in ('Platform Service Account','Service Account','FIREFIGHTERID') AND (((ac.ACCOUNTCONFIG NOT LIKE '%ENABLED%' OR ac.ACCOUNTCONFIG IS NULL) AND accatt.ATTRIBUTE_VALUE = 'ActiveDirectory') OR (accatt.ATTRIBUTE_VALUE = 'Local')) INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG LIKE '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey UNION SELECT distinct ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype, ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName', IF(ac.LASTPASSWORDCHANGE IS NULL , DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation', IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType', pr.EXPIREAFTER,epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac INNER JOIN account_attributes acc_attr ON ac.accountkey = acc_attr.accountkey AND acc_attr.attribute_name = 'MEMBER_ENDPOINTKEY' INNER JOIN endpoints ep ON ac.ENDPOINTKEY = ep.endpointkey INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG LIKE '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%')) INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey WHERE ac.status IN (1,'Manually Provisioned') AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG is NULL ) AND ( ac.accounttype in ('Platform Service Account','Service Account','FIREFIGHTERID'));

0 Kudos
Copyright © 2024 Khoros, LLC