Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Windows PAM Template Connection

jezzanuena
Regular Contributor
Regular Contributor

I was trying to create a connection for Windows. My Windows instances reside in an AWS account, I keep getting a Connection Failed error even after following the documentation guide.

At this moment this is what I'm getting after clicking the Save & Test Connection when I configure the Basic Config and while "Connection Failed" error when I configure the Advanced Config

:jezzanuena_0-1666582115393.png

 

Here are the details I have in the connection so far:

HostName: IP Address of my Windows instance

Domain: localhost

User Name: the master account with administrator and Remote Management access

Password: Password of the master account

Service URL: the default one, http://windowsconnectorms:9056

Here is the log:

{"log":"2022-10-24 03:32:45,434 [http-nio-8080-exec-15] ERROR connectorms.ConnectorMsHelperService - Error occurred while testing windowsconnection for connection WINDOWS_JNTest1\n","stream":"stdout","time":"2022-10-24T03:32:45.434721877Z"}

{"log":"error: pack-objects died of signal 9\n","stream":"stderr","time":"2022-10-24T03:32:51.974051837Z"}

{"log":"error: remote unpack failed: eof before pack header was fully read\n","stream":"stderr","time":"2022-10-24T03:32:52.092024428Z"}

{"log":" ! [remote rejected] master -\u003e master (unpacker error)\n","stream":"stderr","time":"2022-10-24T03:32:52.17254992Z"}

9 REPLIES 9

rushikeshvartak
All-Star
All-Star

It seems network connectivity issue


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thank you, @rushikeshvartak 

I see. Hmm. Per documentation, 3389 and 5985 on top of other powershell scripts provided. Anything else that you can think of?

Below are few things that you can validate

  1. Powershell remoting should be enabled
  2. Verify WinRM is configured to allow local users to connect remotely(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System-> Validate DWORD LocalAccountTokenFilterPolicy = 0x00000001 (1) exists)
  3. Validate Window Remote Management service is enabled and running
  4. Windows Firewall > Inbound Rules ->Locate Windows Remote Management (HTTP-In) rules. Confirm Local Address is configured for Any (Not Local Subnets) for port 5985 for both rules (Public and Domain/Private).
  5. Open Windows Firewall > Inbound Rules -> Locate Remote Desktop - User Mode (TCP-In) rule. Confirm Local Address is configured for Any (Not Local Subnets) for port 3389

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

jezzanuena
Regular Contributor
Regular Contributor

Thank you, @sk We were able to configure one of the target instances. A set of security system, endpoint and connection are being created too for each instance. However, it is not being PAM enabled automatically.

For creating SS, Endpoint and Connection it may not validate the connectivity but when it tried to do PAM Enabled it tries to pull the accounts from target at that point it tries to connect to target. If you don't have connectivity and above mentioned settings they could lead to the issue you reported.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

jezzanuena
Regular Contributor
Regular Contributor

@skare you referring to the point where the master accounts connect to the target instance?

Yes


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

jezzanuena
Regular Contributor
Regular Contributor

I see. But when we tried to connect to the instance locally, we could connect using the master account. By the way, I noticed your ticket regarding PAM enablement for DB accounts, how did you resolve your issue? Currently, our IAM accounts (shareableaccounts) are not being PAM enabled during bootstrap even there is a password policy assigned on the endpoint level.

NageshK
Saviynt Employee
Saviynt Employee

@jezzanuena were you able to bootstrap your windows machine and other shareable accounts?