Understanding unhealthy account status

There may be many reasons a password might fail to update on machines stored in CentrifyPrivileged Access Service. Below is an SQL query that you run on PAS to produce a report with systems and accounts that are failing password rotation.

To run the report

  1. Navigate to the Centrify PAS > Reports > New Report.
  2. Build a new report using the editor.
  3. Paste the SQL query, AccountsNotRotating.sql, into the editor.
Copy 
SELECT
    Server.FQDN                     AS SystemFQDN,
    Server.Name                     AS ServerName,
    Server.HealthStatus             AS SystemHealthStatus,
    Server.LastHealthCheck          AS SystemLastHealthCheck,
    Server.HealthStatusError        AS SystemHealthStatusError,
    VaultAccount.LastChange         AS AccountLastChange,
    VaultAccount.LastHealthCheck    AS AccountLastHealthCheck,
    VaultAccount.Healthy            AS AccountHealthy,
    VaultAccount.HealthError        AS AccountHealthError,
    VaultAccount.NeedsPasswordReset AS AccountNeedsPasswordReset,
    VaultAccount.PasswordResetRetryCount,
    VaultAccount.PasswordResetLastError,
    Server.ID                       AS SystemID,
    VaultAccount.ID                 AS AccountID,
    VaultAccount.User               AS AccountUser,
    Server.ComputerClass            AS SystemComputerClass,
    Server.ManagementMode           AS SystemManagementMode,
    Server.OperatingSystem          AS SystemOperatingSystem,
    Server.DomainName               AS SystemDomainName,
    Server.DiscoveredTime           AS SystemDiscoveredTime

FROM VaultAccount 
JOIN Server ON Server.ID = VaultAccount.Host 
WHERE VaultAccount.IsManaged = 1
    AND ( VaultAccount.LastChange <= datefunc('now', -2) OR VaultAccount.LastChange IS NULL )
ORDER BY VaultAccount.LastChange
  1. Save and Run the report.
  2. From the Actions in the report results, export the report. The report can be saved as an Excel or CSV file.

Interpreting the report results

The status of a machine and its accounts are determined by opening the report in Microsoft Excel and reviewing the report column headers in row one. The columns that are considered are:

  • SystemHealthStatus (C)
  • AccountHealthError (I)
  • PasswordResetRetryCount (K)
  • PasswordResetLastError (L)
  • SystemManagementMode (Q)
  • SystemComputerClass (P)
  • AccountNeedsPasswordReset (J)
Report columns and values Result status Follow up actions
SystemHealthStatus is Unreachable. System Unreachable
  1. If the system is no longer in service, consider deleting it..
  2. Check if the machine is "pingable."
  3. Verify DNS is correctly resolving the name as it appears in the "DNS Name/IP Address" of the system in PAS.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is BadCredentials.
  3. PasswordResetLastError is 'System error'.
 Password Needs Updating

The password in not being rotated because the current password is unknown.

  1. Reset the password on the target machine
  2. Update the password in PAS.
  3. Manually rotate the password. The password should rotate automatically going forward.
  1. SystemHealthStatus is OK.
  2. bAccountHealthError is OK.
  3. PasswordResetRetryCount > 0
  4. SystemManagementMode is RpcOverTcp.
  5. PasswordResetLastError is HostNotFound.
 RPC Dynamic Ports Blocked

The machine has an open port that permits the account to be validated OK, but does not have the RPC dynamics ports open which are needed to rotate the password. The RPC dynamic ports are 49152 - 65535.

  1. Adjust the firewall to open the dynamic RPC ports.
  2. Manually rotate the password..
  1. SystemHealthStatus is OK.
  2. AccountHealthError is OK.
  3. PasswordResetRetryCount > 0
  4. PasswordResetLastError is 'User has no SAM remote access rights'.
 SAM Remote Access Restriction

On newer versions of Windows, access to the Windows authentication database is restricted and prevents password rotation.

  1. Update the local security policy of the target machine: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Restrict clients allowed to make remote call to SAM Add the account name to the policy.
  2. Manually rotate the password.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is OK.
  3. PasswordResetRetryCount > 0
  4. SystemComputerClass is Unix
  5. AccountNeedsPasswordReset is RetryLimitExceeded
 Unix System Offline for Too Long The machine has been offline for a long time, but the system and accounts are OK. Manually rotate the password. The password should rotate automatically going forward.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is OK.
  3. PasswordResetRetryCount = 0

Needs More Investigation - No Attempt to Rotate Password

This machine needs more investigation.

  1. Manually rotate the password.
  2. If the password does not rotate, gather the tenant logs, collector logs, time stamp, and account information for further analysis.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is OK.
  3. PasswordResetRetryCount > 0
  4. SystemManagementMode is Smb.
  5. PasswordResetLastError is HostNotFound.
 Needs More Investigation - SMB

This machine needs more investigation.

  1. Manually rotate the password.
  2. If the password does not rotate, gather the tenant logs, collector logs, time stamp, and account information for further analysis.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is OK.
  3. PasswordResetRetryCount > 0
  4. SystemManagementMode is Smb.
  5. PasswordResetLastError is AccountRestrictionsPreventSignin

Needs More Investigation - AccountRestrictionsPreventSignin

There is some restriction on the target machine preventing password rotation.

  1. Investigate any password restrictions on target machine.
  2. Gather the tenant logs, collector logs, time stamp, and account information for further analysis.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is BadCredentials.
  3. PasswordResetLastError is HostNotFound.
 Password Needs Updating and RPC Dynamic Ports Blocked

This machine's account needs both a password update and unblocking of the RPC dynamic ports.

  1. Adjust the firewall to open the dynamic RPC ports.s (949152 - 65535)
  2. Reset the password on the target machine.
  3. Update the password in Centrify PAS.
  4. Manually rotate the password.
  1. SystemHealthStatus is OK.
  2. AccountHealthError is OK.
  3. PasswordResetRetryCount > 0
  4. PasswordResetLastError is 'Password policy is violated'.

Password Policy

The system has a password policy that is more restrictive than the passwords generated by Centrify PAS. Check the password policy for local accounts.