PAMSC: Windows PAMSC Integration with Application=AD

Document ID : KB000098947
Last Modified Date : 27/06/2018
Show Technical Document Details
Introduction:
Make sure you download the latest hotfix for CA PAM (3.1.1.07) which can be found under the Solutions & Patches page.  We found out that in releases before 3.1.1.07 that the public_addr object has a NULL value inside which is why sewhoami -a was not showing the correct user because there was a disconnect.
Instructions:
The Windows Login Integration is different than any of the Login Integrations being done with Linux and UNIX.  When installing the PAMSC endpoint, you have the option within the installer's GUI to select 'PUPM Integration'.  What that does is it lays down all of the configurations we typically had to modify for our Linux and UNIX Login Integrations.  So, if we select that, we should be fine from here on out.  There are no additional steps needed in order to have the Login Integration work on Windows.

Conflicting policies where one policy had Login Integration enabled and the other had Login Integration disabled. However, this is very tough to discover because there is nothing inside CA PAM that lets an administrator know if there are duplicate policies. They were using user groups and device groups, and obviously those groups are populated by their business needs. This was a user error on their end.
Additional Information:
If you continue to experience issues, there are two sides to check to see where the disconnect is occuring.  First, we need to make sure PAM is dropping the right message inside the ActiveMQ.

On the PAMSC endpoint, shutdown the CAPAMSC endpoint and ensure all AgentManager services are killed.  Task Manager can kill these services and not services.msc because we protect ourselves.  You can also use 'secons -S' as well within the command line.

Reproduce the issue inside the CA PAM console.  You should expect the terminal to hang.  Once that is done, go to your ActiveMQ server (i.e., https://ActiveMQ_server_here:8161/) and login with your credentials used you set during the PAMSC Management Server or ActiveMQ installation.  The communication key is what is needed for the password.  Once you login to the ActiveMQ, you want to click "Manage ActiveMQ broker" -> "Queues" -> "ac_server_to_endpoint" -> "View Consumers" and you should see a message like this:
User-added image
So now, we should start CA PAMSC again, ensuring the AgentManager service is alive.  Once that is done, reproduce the issue again and see if AgentManager is picking up on this request.

Then, we want to look inside this file (this file should be automatically generated if during your PAMSC Windows installation you checked 'PUPM_Integration' as an additional feature to install).  
C:\Program Files\CA\AccessControl\Data\PUPMAgent

23-Mar-2018 12:40:38: _ProcessPreLogonNotification> Received prelogon integration message. ACID="PAM_ENDP_INTEGR"
23-Mar-2018 12:40:38: _ProcessPreLogonNotification> Integration message correlation ID = "LINGO:5"
23-Mar-2018 12:40:38: _ProcessPreLogonNotification> ACCOUNT_NAME --> "Bob" was received.
23-Mar-2018 12:40:38: _ProcessPreLogonNotification> ORIG_ACCOUNT_NAME --> "super" was received.
23-Mar-2018 12:40:38: _ProcessPreLogonNotification> CHECKOUT_HOST_NAME --> "141.202.54.2" was received.
23-Mar-2018 12:40:38: _ProcessPreLogonNotification> ORIG_ACCOUNT_REPOSITORY --> "RDB" was received.
23-Mar-2018 12:40:38: _ProcessPreLogonNotification> IS_ORIG_ACCOUNT_NATIVE_USER --> "YES" was received.

You should be able to see a PreLoginNotification event inside the PUPMAgent_Trace.log.