PAM-CM-3431: Different behavior after upgrading from PAM 2.8.4.1 to 3.2.2

Document ID : KB000118928
Last Modified Date : 06/04/2019
Show Technical Document Details
Issue:
Active Directory accounts were initially entered into PAM without the domain, and after being put into sync @domainname.com was added, and the account saved again.  After upgrading to 3.2.2 doing this resulted in error "PAM-CM-3431: Distinguished Name (DN) must be specified". The same error was encountered when trying to update the password of an existing account that had been saved with the user principal name as account name prior to the PAM upgrade.
Environment:
Any PAM 3.1.1+ installation with Active Directory integration could have this problem.
Cause:
In PAM 3.1.1 a new feature was introduced that allows PAM to track account movement across Active Directory OUs. In order to check on a change in Distinguished Name (DN), PAM uses the target account name to get the current DN and compare it to what is stored in the PAM database. For this to work, the target account name must match the sAMAccountName attribute in Active Directory.
Resolution:
For the customer that had a requirement of using the user principal name as target account name in the past, Citrix was modified to create domain specific front ends. After doing this it was no longer necessary to add @domainname.com to the target account name in PAM.

In general, make sure that the target account name for target accounts associated with a target application of type Active Directory matches the sAMAccountName attribute of the account in Active Directory.