Unable to rotate password for managed AD account

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 18
Registered: ‎08-24-2018
#1 of 4 634
Accepted Solution

Unable to rotate password for managed AD account

I have added a Domain Account into Centrify and selected "Managed this password" when saving.

 

I am able to verify password succesfully, but when I select "Rotate Password" from drop down, I get an error.  The error that is in the downloaded PASReport.zip file is 

 

2018-09-10T14:37:13.1232053Z : Changing password for account: testAcct, accountId: 013deed6-72b4-47b6-a645-35b3dc959729, reason: RotatePassword
2018-09-10T14:37:13.1345785Z : Trying to read the current password
2018-09-10T14:37:13.5251803Z : Setting pending secret :af2868ff-c530-49e4-806a-acfd7c9b4ccf
2018-09-10T14:37:13.7126808Z : Changing account testAcct password...
2018-09-10T14:37:21.2595484Z : Invalid account credentials
2018-09-10T14:37:21.2595484Z : Details : System error.

 

 

Thanks

Centrify Guru I
Posts: 2,349
Registered: ‎07-26-2012
#2 of 4 623

Re: Unable to rotate password for managed AD account

[ Edited ]

@SD810161,

 

Welcome back.

 

What is the version of Privilege Access Service (only relevant if you're using On Premises)?

Have you designated the connectors  (connectors tab) for the domain in question?

What is the way you're changing Domain Account passwords?  (via Admin account, or via current account - see below)?

Have you verified that the account credential is correct?  (Verify credential, especially due to this message)

2018-09-10T14:37:21.2595484Z : Invalid account credentials

 

Let's start with this question and go from there.

 

 

Background

With PAS, there are two ways to design the implementation of Domain Password management:

  • Leveraging a domain Administrative account.
  • Leveraging each specific account.

 

Administrative Account approach

This is when you designate an administrative account for the domain in question (with privilege rights such as Domain Admin) to drive password operations.  This the best practice and allows you to "take over" accounts without knowing the password or being bound by the "minimum password age" GPO.  In addition, the vault can unlock accounts prior to login or checkout if detected.

 

pas-admin2.PNGpas-admin.PNG

 

Anomaly detection:  If something is wrong with the administrative account, you'll get a pop-up informing you about the issue.  You can see further details within the Activity feed of the domain in question.

issues.PNG

 

Managed-account approach

This approach uses the same account being managed as the driver for password management.  This approach has the following challenges:

  1. You need to know the current password of the account to add it to the vault and manage it.
  2. The account is bound by the "Minimum password age" GPO.  This means that you can't change the password unless this is covered.  By default it's set to 24 hours.  This means that you can't change the password until after this thresold happens or the GPO is relaxed.
  3. No way to deal with account lockouts.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 18
Registered: ‎08-24-2018
#3 of 4 614

Re: Unable to rotate password for managed AD account

The enable automatic account maintenance wasn't checked.  I thought the global setting would be covered and not needed here.

 

Thanks.

Centrify Guru I
Posts: 2,349
Registered: ‎07-26-2012
#4 of 4 594

Re: Unable to rotate password for managed AD account

[ Edited ]

Good job. I'm happy that this worked for you.

 

Note that there are no "global switches" for domain account settings/policies.   Regardless of what's set up on the Accounts section under Settings > Infrastructure, you still have to pick what password management method and option individually per managed domain.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: