Cannot discover accounts on target servers where the first target application defined does not support account discovery

Document ID : KB000122702
Last Modified Date : 06/12/2018
Show Technical Document Details
Issue:
We have a target account with the "Discovery Allowed" flag set associated with a target application for a target server. Therefore this server should be available for target account scans. But it does not show up in the list of available target servers in a new discovery scan profile. This target server also has other target applications that do not support account discovery.
Environment:
PAM 3.0, 3.1 or 3.2
Cause:
PAM uses the following logic to find target servers available for account discovery:
- Get a list of all target applications and map them to target servers.
- For each target server go through the list of target applications. If the target application is capable of account discovery, get the list of target accounts associated with the application and see whether any of them has the "Discovery Allowed" flag set. If yes, add this server to the list of available servers.

There was a problem while going through the list of target applications per target server. When the first target application was encountered that did not support account discovery, the loop was interrupted and the logic moved on to the next target server. If the target application that does not support discovery had been created before the one that has an account configured for discovery, the target server was not listed in a new scan profile.
Resolution:
This problem will be fixed in PAM 3.3 and on.
For PAM 3.2 and lower you can avoid the problem by first creating the target application that supports account discovery.
If the server already had another target application configured, e.g. of type Generic, that application would have to be removed and created new. Be aware that this will remove all target accounts associated with the old target application, including their use in any access policy. Accounts and policies would have to be reconfigured as well.