PAM disables User Accounts while logon via Load Balancer

Document ID : KB000107680
Last Modified Date : 12/09/2018
Show Technical Document Details
Issue:
We have a PAM Cluster and each cluster node is to be accessed via an external load balancer device.
It is to observe that CA PAM disables User Accounts from it's user database while this user tries to access any of the PAM appliance in the cluster via the virtual URL or virtual IP of the load balancer.

PAM Session Logs indicate:
...
18.07.2018 10:16    CN=xxx,OU=...,DC=local    alert    --    CN=yyy,OU=...,DC=local    --    --    --    --    172.20.112.167    --    --    --    --    --    PAM-CMN-1167: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Account deactivated.    0    --        0
18.07.2018 10:15    CN=xxx,OU=...,DC=local    alert    --    CN=yyy,OU=...,DC=local    --    --    --    --    172.20.112.167    --    --    --    --    --    PAM-CMN-1167: A potential tampering attempt has been detected, the end-user''s local system may be compromised. Account deactivated.    0    --        0
...
18.07.2018 10:20 CN=xxx,OU=...,DC=local login -- CN=yyy,OU=...,DC=local -- -- -- -- 172.20.112.167 -- -- -- -- -- PAM-CMN-0903: This account is deactivated. See your CA PAM Administrator. 0 -- 0
...





What is the reason for this and how to prevent this issue?
Resolution:
This issue might not happen while the user is connecting directly to the real IP/hostname of the PAM appliance instead of the Cluster VIP or Cluster URL

Please confirm if PAM’s system certificate subject is configured accordingly to match the URL of the VIP.
Make sure the fields for Common Name and Alternate Subject Names basically reflect all the URLs used to access this PAM instance.
Note, there is no line break / carriage return at the end of the list of the Alternate Subject Names

Please see this document how to configure and set the system certificate accordingly.
https://comm.support.ca.com/kb/how-to-use-ms-pki-to-sign-the-certificate-request-issued-by-xsuite/kb000042197

Moreover, please confirm in the Load Balancer to not terminate SSL , and instead tunnel SSL all the way through to PAM.
For a NetScaler load balancer this would be done by configuring SSL bridging, see e.g. 
https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-bridging.html.

Try if Cross Site Scripting Checks are disabled at all the PAM nodes as per
https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/configure-your-server/configure-security-settings/disable-and-enable-cross-site-scripting-attack-checking/


In CA PAM r3.1.3 and newer use the "JuniperProxyMode" feature:
(JuniperProxyMode is a special flag that can be specified when accessing the PAM login screen so that the PAM server will send its certificate along with the data to the applet. 
The applet will then use this certificate and ignore the certificate from the HTTPS connection.)
  • configure the PAM Client to "Use System Proxy Settings" + "Ignore Proxy Certificate" in the Configuration Settings / Proxy tab.
  • if you use a Web Browser amend the URL to PAM with XSUITE_VPN_LOGIN=1
e.g. https://VIP-of_LoadBalancer/?XSUITE_VPN_LOGIN=1