9 Replies Latest reply on Jul 25, 2018 2:08 PM by Steve Martinez

    ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed

    Daniel Adler

      Hi,

       

      We trying to integrate our new ADDM 11.3 with Cyberark but however I'm not able to scan the servers.

      Cyberark team setup the BMC_Discovery account provided access to specific vault that has only 1 object (key) to scan windows machines, from ADDM side I installed everything according to documentation but every time I want to test the credential i'm getting error:   Remote access via Windows Credential Proxy ****** failed.

       

      Could anyone guide me on what could I missed or spot any issue ? (pics attached)

      p1.jpg

      p4.jpg

       

      p2.jpg

      p3.jpg

       

      APPAudit.log  shows after I'm testing credential:

      [14/06/2018 | 16:59:55] |  ::  | APPAU001I Provider Prov_***** has successfully fetched password [safe=***,folder=Root,name=***] with query [Safe=***;folder=root;object=***] for application [BMC_Discovery]. Fetch reason: [[AppID: BMC_Discovery] ]

       

      The password in Cyberark are tested and working.

      The Credential proxy created for cyberark are using local admin account on the proxy server.

      The Proxy don't have network problem as I can use the same proxy as Active Directory Proxy and scan the same server.

       

      **Important to note:  The proxy is version 10.2 as we still using it with other old ADDM appliance.

       

      Any advice or troubleshooting technique appreciated .

      Thanks

        • 1. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
          Andrew Waters

          If you put discovery in debug and look in tw_svc_discovery.log you should see it logging about trying to connect with the correct username.

           

          Does it work if you just create a windows credential in Discovery with the username and password, i.e. bypass CyberArk altogether?

          1 of 1 people found this helpful
          • 2. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
            Daniel Adler

            tw_svc_discovery.log:  (data like server names and IP changed for the record)

            2018-06-14 18:19:56,398: security.api: DEBUG: Create new validator for 'discovery/host/access'

            2018-06-14 18:19:56,399: discovery.servants: DEBUG: Main_i::_updateDeviceCache() - using new device; total devices now 1

            2018-06-14 18:19:56,399: discovery.servants: INFO: finished Main_i::getDevice() for 192.168.10.10

            2018-06-14 18:19:56,399: discovery.device: INFO: Host_i::getDeviceInfo() for 192.168.10.10

            2018-06-14 18:19:56,399: api.audit: DEBUG: 192.168.10.10: getDeviceInfo(): Try pool

            2018-06-14 18:19:56,399: discovery.pool: DEBUG: 192.168.10.10: No directory /usr/tideway/var/pool/192.168.10.10 therefore no data in pool

            2018-06-14 18:19:56,400: discovery.slaves: DEBUG: Pool Active Directory_pool: 192.168.10.10 in IP range - allowed

            2018-06-14 18:19:56,400: discovery.slaves: DEBUG: Pool ADDM_Windows_Proxy: 192.168.10.10 in IP range - allowed

            2018-06-14 18:19:56,400: discovery.slaves: DEBUG: Windows Proxy Session: 192.168.10.10: check Windows AD Proxy Windows Proxy Pool Active Directory_pool

            2018-06-14 18:19:56,400: discovery.slaves: DEBUG: Windows Proxy Session: 192.168.10.10: check Windows Credential Proxy Windows Proxy Pool ADDM_Windows_Proxy

            2018-06-14 18:19:56,424: common.utils: DEBUG: slave:ADDMProxyServer is newer than min_version

            2018-06-14 18:19:56,424: common.utils: DEBUG: slave:ADDMProxyServer isValidVersion min_version='10.2' result=True

            2018-06-14 18:19:56,424: discovery.slaves: DEBUG: Windows Proxy Session: 192.168.10.10: Windows Credential Proxy ADDMProxyServer test user ADDMUser01

            2018-06-14 18:19:56,424: common.utils: DEBUG: slave:ADDMProxyServer is newer than min_version

            2018-06-14 18:19:56,424: common.utils: DEBUG: slave:ADDMProxyServer isValidVersion min_version='10.2' result=True

            2018-06-14 18:19:56,456: discovery.slaves: DEBUG: Windows Proxy Session: 192.168.10.10: no more Windows Proxy Pools

            2018-06-14 18:19:56,456: api.audit: DEBUG: 192.168.10.10: getDeviceInfo(): No slave pool can access endpoint

            2018-06-14 18:19:56,456: api.audit: DEBUG: 192.168.10.10: getDeviceInfo(): Login session not applicable

            2018-06-14 18:19:56,456: api.audit: DEBUG: 192.168.10.10: getDeviceInfo(): No SNMP access available

            2018-06-14 18:19:56,456: discovery.nmap: DEBUG: DeviceInfo from ScanResult: KVPDict({'kind': 'Host', 'probed_os_type': 'Windows', 'probed_os': 'Windows', 'hostname': '', 'platform': 'Windows', 'os_class': 'Windows', 'device_type': 'Windows Server', '__deviceInfo_via_nmap': 137482895964565029L, 'os_type': 'Windows', 'os': 'Windows', 'os_vendor': 'Microsoft'})

            2018-06-14 18:19:56,456: api.audit: DEBUG: 192.168.10.10: getDeviceInfo(): Got host information status = SUCCESS

            2018-06-14 18:19:56,456: discovery.base: DEBUG: getDeviceInfo() - returning information

            2018-06-14 18:19:56,456: discovery.device: INFO: finished Host_i::getDeviceInfo() for 192.168.10.10

            2018-06-14 18:19:56,470: discovery.device: DEBUG: Device::clearCache() for 192.168.10.10

            2018-06-14 18:19:56,471: discovery.servants: DEBUG: Main_i::_removeDevice() for 192.168.10.10

            2018-06-14 18:19:56,471: discovery.servants: DEBUG: Main_i::_removeDevice() - total devices now 0

            2018-06-14 18:19:56,471: discovery.hosts: DEBUG: Host::cleanup(): clear cached data for 192.168.10.10

             

            According to the log he is using "ADDMUser01" and actually this is the user I just wonder if  domain supposed to be specified ? such as   mydomain\ADDMUser01 ?

             

            If I setup manual credentials using the same win credential pool everything working and able to scan the device.

            however this manual credential are setup like:    username: mydomain\ADDMUser01    - Works
            If I setup the manual credential as   username: ADDMUser01   - not works

             

            Wonder If ADDM grab the password from Cyberark and try to login he uses the mydomain\ADDMUser01  ?

            Had the same question for Cyberark team and they said Cyberark configured the way it should know the domain because it's also mentioned in under Address in Test Cyberark quvery (picture previously uploaded).

             

            Any advise ?

            • 3. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
              Andrew Waters

              If you do not specify a domain then Discovery will use the name .\ADDMUser01 which will be related to the host you are discovering. If you want a domain you need to specify it as part of the username.

              2 of 2 people found this helpful
              • 4. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
                Daniel Adler

                But Cybarark not accept input of \  to show as mydomain\ADDMUser01 . How exactly BMC advise the best practice to setup Domain account with Cyberark ?

                • 5. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
                  Mark Edwards

                  The Platform Name for the password object in Cyberark will determine what sort of account it is and the account attributes available. The username field does not allow for a domain prefix.

                  1 of 1 people found this helpful
                  • 6. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
                    Daniel Adler

                    Yes, This is how we created and using the object: Object=Operating System-_platform_name-my.domain-ADDMUser01

                    this way we specified the domain but still in logs it shows as :

                    DEBUG: Windows Proxy Session: 192.168.10.10: Windows Credential Proxy ADDMProxyServer test user ADDMUser01
                    • 7. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
                      Daniel Adler

                      I found this in the Proxy log:

                      10984: 2018-06-15 16:51:55,227: discovery.slave.worker.servants: INFO: 10.201.15.10: test: Testing credentials failed using user localhost\ADDMUser01. Credentials for localhost\ADDMUser01 are not valid

                       

                      We configured the Account and ADDM according the documentation , in Cyberark the object attribute address represent the domain but still as you see ADDM think that user as localhost. (as you can see in the example above).

                       

                      Please help with an example on how this should be configured.  Thanks

                      • 8. Re: ADDM 11.3 & Cyberark integration- Remote access via Windows Credential Proxy failed
                        Olegas Domanskis

                        Hello

                        Anyone got it working? We are struggling with Windows integration also.