Many PIV/CAC users unable to view passwords from the access page after migration to PAM 3.X

Document ID : KB000122249
Last Modified Date : 10/12/2018
Show Technical Document Details
Issue:
After upgrade from 2.8.4 to 3.2.2, a large number of PIV/CAC users are unable to view passwords from the access page. Auto-logon appears to work. This affects users with a username longer than 128 characters. It also appears to affect only users added prior to the upgrade to 2.8.3. Users that were added recently, but prior to the migration from 2.8.4 to 3.X, do not have this problem. We notice that these users have the user principal name populated in PAM. This comes from the subject alternate name in the certificate on the PIV/CAC card. The older user entries do not have the user principal name set in the PAM database.
Environment:
PAM 3.2.2, or in general 3.X, upgraded from PAM 2.8.
Cause:
In PAM releases 2.X the Credential Management (CM) side of the product had a limit of 128 characters for user names, while the access side allowed up to 256 characters. A short name was used on the access side to deal with the limitation. In PAM 3.X the limit is 256 characters consistently, but the migration from 2.8 to 3.0 does not change the user names in the CM DB tables. This can cause post-migration problems for users with names that had been truncated to 128 characters in the past. In the latest 2.8.X releases code was added to retrieve the user principal name from the user certificate and, if available, use it as user name in the CM tables. This avoids the problem for recently added users, if their certificate includes the user principal name as subject alternate name.
Resolution:
Hotfix 3.2.2.10 was created for use on top of PAM 3.2.2 to resolve the problem for users that have the user principle name in the certificate as subject alternate name. At the time of writing this document the hotfix was not published. The problem is expected to be addressed in the next main PAM release 3.3, i.e. upgrading to 3.3 once available should resolve the problem. The fix is not in PAM 3.2.3. If you run into the problem prior to PAM 3.3 and do not find a published PAM patch to address the problem, please open a support case.