Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

On-Prem Windows PAM Account password Rotation issue

sksuresh2k30
Regular Contributor
Regular Contributor

Hi Team,

Our customer is experiencing an issue with the rotation of the PAM account password. Although the password rotation job runs properly, the password is not getting rotated. However, we don`t see any change password task created after the account expires. Upon reviewing the article, it seems we are also encountering the same problem when running the analytics report, as it is not fetching any data. Could you please suggest a solution for this issue?

4 REPLIES 4

Saathvik
All-Star
All-Star

@sksuresh2k30 : Are you using default analytics or custom analytics to identify password expired accounts? 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Hi SK,

I`m using default one below

SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',  ac.NAME AS NAME,ac.accounttype AS accounttype,ep.ENDPOINTNAME AS 'EndpointName',  ss.SYSTEMNAME AS 'SystemName',  IF(ac.LASTPASSWORDCHANGE IS NULL ,  DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation',  IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType',  pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac  INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY  AND ac.status IN (1,'Manually Provisioned')  AND (ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL)  AND ((ac.accounttype IS NOT NULL AND ac.accounttype != '' AND ac.accounttype != 'Platform Service Account')  AND ac.ACCOUNTCONFIG LIKE '%ENABLED%')  INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY  AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%'))  INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY  INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT  INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey  UNION SELECT ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype,  ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',IF(ac.LASTPASSWORDCHANGE IS NULL,  DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation',  IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType',  pr.EXPIREAFTER, epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac  INNER JOIN endpoints ep ON ac.ENDPOINTKEY=ep.ENDPOINTKEY  inner join account_attributes accatt on accatt.ACCOUNTKEY = ac.ACCOUNTKEY and accatt.ATTRIBUTE_NAME = 'PRINCIPALSOURCE'  AND ac.status IN (1,2,'Manually Provisioned')  AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG IS NULL )  AND ac.accounttype = 'Platform Service Account'  AND (((ac.ACCOUNTCONFIG NOT LIKE '%ENABLED%'  OR ac.ACCOUNTCONFIG IS NULL)  AND accatt.ATTRIBUTE_VALUE = 'ActiveDirectory') OR (accatt.ATTRIBUTE_VALUE = 'Local'))  INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND epp.PAM_STATE = 'ENABLED' AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%'))  INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY  INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT  INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey  UNION SELECT distinct ac.ACCOUNTKEY AS ID, ac.accountid AS 'accountid',ac.NAME AS NAME,ac.accounttype AS accounttype,  ep.ENDPOINTNAME AS 'EndpointName',ss.SYSTEMNAME AS 'SystemName',  IF(ac.LASTPASSWORDCHANGE IS NULL ,  DATEDIFF( CURDATE(), DATE(ac.CREATED_ON)),DATEDIFF( CURDATE(), DATE(ac.LASTPASSWORDCHANGE))) AS 'Total_No_DaysLastRotation',  IF(INSTR(ec.credentialchangeconfig,ac.ACCOUNTKEY) > 0 ,'Master','Shareable') AS 'CredentialType',  pr.EXPIREAFTER,epp.PLATFORM_TYPE AS 'PLATFORM' FROM accounts ac  INNER JOIN account_attributes acc_attr ON ac.accountkey = acc_attr.accountkey  AND acc_attr.attribute_name = 'MEMBER_ENDPOINTKEY' INNER JOIN endpoints ep ON ac.ENDPOINTKEY = ep.endpointkey  INNER JOIN endpoints_properties AS epp ON epp.ENDPOINTKEY=ep.ENDPOINTKEY AND (epp.PAMCONFIG IS NOT NULL AND (epp.PAMCONFIG ->> '\$.rotateKey' != 'false' OR epp.PAMCONFIG NOT LIKE '%"rotateKey"%'))  INNER JOIN securitysystems AS ss ON ss.SYSTEMKEY = ep.SECURITYSYSTEMKEY  INNER JOIN policyrule AS pr ON pr.POLICYRULEKEY=ss.POLICYRULESERVICEACCOUNT  INNER JOIN externalconnection AS ec ON ss.provisioningconnection = ec.externalconnectionkey  WHERE ac.status IN (1,'Manually Provisioned')  AND ( ac.accountconfig NOT LIKE '%"justInTime":"true"%' OR ac.ACCOUNTCONFIG is NULL )  AND ( ac.accounttype = 'Platform Service Account' OR ac.ACCOUNTCONFIG LIKE '%ENABLED%' );

@sksuresh2k30 : If this default analytics is not giving any result then I would assume respective accounts are not matching the criteria. Did you do basic validations like below

  1. Endpoints are PAM Enabled and status is Active?
  2. Endpoint PAM Config is set for "rotateKey":"false"?
  3. Accounts are PAM Enabled(Accountconfig is not null and PAM is enabled) and status is Active?
  4. Account Type is not null and respective type is associated with Service Account Type on Endpoint?
  5. Password Policy is associated , And the accounts you are expecting to be rotated are actually expired?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Hi SK,

Thank you for your response. I would like to provide some feedback. The password rotation job appears to be working well. The change password task was created and completed successfully, and it seems that the password has been rotated on Saviynt's side. However, the password is not being provisioned to the target (Windows), and there is an issue with the server connection.

  1. Endpoints are PAM Enabled and status is Active?//yes ,Its active
  2. Endpoint PAM Config is set for "rotateKey":"false"?No, Please let me know where should I update ?

{
"Connection": "AD",
"encryptionMechanism": "Encrypted",
"CONSOLE": {
"shareableAccounts": {
"IDQueryCredentials": "acc.name in ('NOTINUSE')",
"IDQueryCredentialless": "acc.name in ('ADUCAdmin01','ADUCAdmin02','ADUCHelpDesk01')"
},
"maxCredlessSessionRequestTime": "36000",
"maxIDRequestableTime": "36000",
"maxCredSessionRequestTime": "36000",
"endpointAttributeMappings": [
{
"column": "accessquery",
"value": "where users.USERNAME is not null",
"feature": "endpointAccessQuery"
},
{
"column": "allowChangePassword_sqlquery",
"value": "",
"feature": "allowChangepasswordquery"
},
{
"column": "customproperty43",
"value": "PAMServiceAccountEnterpriseRoleUAC",
"feature": "accountVisibilityControl"
}
],
"endpointPamConfig": {
"maxConcurrentSession": "50",
"maxSessionLimitInSec": "",
"maxSessionWarnPeriodInSec": "",
"maxInActiveTimeInSec": "",
"maxInActiveWarnPeriodInSec": "",
"maxReqExpWarnPeriodInSec": ""
},
"accountVisibilityConfig": {
"accountCustomProperty": "customproperty55",
"accountMappingConfig": [{
"accountPattern": "app-*",
"mappingData": "",
"override": "false"
}, {
"accountPattern": "app_saviynt",
"mappingData": "role2",
"override": "false"
}]
}
}
}

  1. Accounts are PAM Enabled(Accountconfig is not null and PAM is enabled) and status is Active?Yes
  2. Account Type is not null and respective type is associated with Service Account Type on Endpoint?Yes
  3. Password Policy is associated , And the accounts you are expecting to be rotated are actually expired?Yes