How to managed Domain Accounts with CA PAM using the Windows Proxy connector.

Document ID : KB000009804
Last Modified Date : 30/05/2018
Show Technical Document Details

This document will show you how to configure Windows Proxy and CA PAM to enable you manage passwords for Domain Accounts.  It is assumed that the Windows Proxy server is configured on a Domain Member and that you have credentials for a Domain Account which will be used by the Windows Proxy connector to change passwords.


After installing the Windows Proxy software on one of the Domain members you should check to see that the cspmagentd is running.  This name could possibly change with a different version of Windows Proxy, so make sure to check the documentation.  You can stop here if you want to manage accounts local to the Windows Proxy server.  For Domain Accounts you will have to configure the service to run with the credentials for a Domain Account which will be used to change passwords when you configure a target account with option "Use proxy credentials to change password".


In PAM 3.X versions the service is named "PAM proxy":
User-added image

As part of the configuration of the Windows Proxy software you will have to specify the IP Address/Fully Qualified Domain Name of the corresponding CA PAM instance.  If you will be using Windows Proxy with a CA PAM cluster you will have to enter the VIP of the cluster.  You can change this address whenever you wish, and will have to restart the cspmagentd in order for it to take effect.


Once you've configured the Windows Proxy you will have to activate it on CA PAM.  Go to the Targets > Proxies page where you should see an entry for the Proxy you just created.  Click the Active radio button and click Save.  Go back into this entry and you should see the fields on the bottom of the screen populated.  To confirm that the credentials are correct click the Get Logs button.  If all is good you will be prompted to Open or Save the file.



You will next need to create a CA PAM Application.  The application should specify the Active Directory and the Windows Proxy Application Type.  You can name it whatever you wish.  Click the Domain Account radio button, enter your domain name similarly to what was done here, and Select your Proxy from the Available Proxies list and move it to the Selected Proxies list.



You are now ready to configure the accounts you wish to manage using the application you just created.  Make sure to click the Use Proxy Credentials radio button.



Once you click Save with the "Update both" option selected you should see the account listed as in sync.  If this does not work you should use the Tomcat log to troubleshoot the problem.  Make sure to set the Tomcat Log Level to Info.AccountInSync.JPG