Can TPAM connect to the target system successfully?
1. Login to /tpam with an Administrator account.
2. Navigate to Systems, Accounts & Collections menu > Systems > Manage Systems.
3. Select the system in question on the "Listing" tab (use the Filter if necessary).
4. Select the "Details" tab for the System.
- Is the Network Address correct? If using a DNS name, try using the IP address instead, to verify if there is a DNS issue.
- For Windows, specify the hostname, in capital letters, in the Computer Name field.
- For Unix/Linux, if sudo is required, enter sudo in the Delegation Prefix field.
5. On the "Connection" tab, verify the Functional Account credentials are correct.
- Is the username spelled correctly? Does this account exist on the target? Does it have correct permissions? Is it locked or disabled?
- If using password authentication, try re-entering the password.
- If using a key, ensure the correct key has been copied to the target and the appropriate key type is used.
6. Click the blue "Test System" button to test the connection to the system.
If the system test fails, you will need to determine why TPAM is not able to connect successfully.
If you receive a timeout error such as:
A timeout occurred waiting for a response from the system. Or
The process to check the system [name] timed out after 30 seconds
This indicates that TPAM is unable to communicate with the target system over the network. The required port may be blocked, or the system may be offline.
If you receive an Access Denied error, such as:
WMI ConnectServer error: OLE exception from "SWbemLocator": Access is denied.
This likely means that the Functional Account credentials are invalid or port 445 is blocked. Please ensure the credentials have been configured properly on the Connection tab of the Managed System in TPAM and that user is a member of the local Administrators group on the target system.
If you receive an RPC related error such as:
WMI ConnectServer error: OLE exception from "SWbemLocator": The RPC server is unavailable.
This indicates that port 135 / 445 is blocked between TPAM and the target system. To resolve this error, ensure that port 135 is open.
Unix / Linux Systems
In may cases, when performing a Test System, Reset Password or Check Password for Unix/Linux Systems and Accounts, a failure will provide output that explains the problem.
The command that TPAM is trying to send will be seen near the top, such as:
spawn -nottyinit /usr/bin/ssh -v -2 -l funcacct -i /home/edmzpar/keys/5B1XXXXXYH22MtE43tkjBQKVDlCeE -p 22 -o BatchMode=yes -o PasswordAuthentication=no -o ConnectTimeout=25 10.10.10.10 sudo grep -w funcacct /etc/shadow
In this case, TPAM is attempting to grep the /etc/shadow file with the user funcacct. Does this user have the necessary permission to do so?
Towards the bottom, there are errors related to connection problems or authentication failures.
ssh: connect to host 10.10.10.10 port 22: Connection refused
- Is the network address correct? Is the port blocked? Is there a network routing issue?
It will cycle through the available authentication methods:
debug1: Authentications that can continue: publickey,password
When it cannot authenticate successfully using any of the available methods, it will report:
debug1: No more authentication methods to try.
- Verify that your functional account credentials are correct and that the necessary authentication methods have been enabled. (ie. If password authentication is being used, has it been enabled in the ssh_config file on the system?)
Does the Password Rule set in TPAM match the password requirements of the target system?
TPAM ships with a default password rule that may or may not match the rules you currently have set in your environment. You can edit the settings for this Password Rule and/or create a new rule to match the system requirements.
1. Login to /admin with a Sys Admin account.
2. Navigate to System Status / Settings and select Password Rules
3. Review and Default Password Rule settings and modify as necessary.
4. You can also create multiple rules to match different policy requirements.
Things to consider and document when troubleshooting password issues on managed accounts/systems
- Minimum password age (in certain instances the OS may be set to require a password be a day old before it can be changed again)
- Maximum password age (compare to the settings under the management tab of the managed account in PAR)
- Minimum and maximum password length
- Password complexity (Uppercase, lowercase, numeric, and special characters.
When troubleshooting failed password changes or password mismatch issues remember that for each managed account the appliance retains a list of past passwords, and the time period in which they were valid. The list also includes any failed passwords that the appliance attempted to use for the managed accounts.
When troubleshooting password mismatch issues on a Linux system, ensure that the DSS Key for TPAM is imported and trusted on the Linux system.
Review the Change Log, Test Log and Agent Logs to determine what failed and when.
1. Navigate to Systems, Accounts & Collections menu > Accounts > Manage Accounts.
2. Select the Account in question on the "Listing" tab (use the Filter if necessary).
3. Select the "Logs" tab for the Managed Account.
The Change Log will list the results for all attempted password changes.
- Forced Reset - Success / Failed
- Scheduled Change - Success / Failed
- Post-Release Reset - Success / Failed
The Test Log will list the results for all attempted password checks.
- Failed - Host Unreachable
Using these logs, you can try to establish how and when the operations are failing. Do they only fail at certain dates and times? Are forced resets successful, but scheduled changes failing?
You may also wish to review the Activity Report under the Reports > Activity Reports menu. This will record any changes that were made to Systems and Accounts and may help to identify when configuration changes were made and which user made the changes.
There are many factors that can affect the System and Account Management in TPAM. It requires ongoing maintenance. The best approach is to create a check list of all possible causes and then systematically narrow it down, until the root cause is found.