Environment
Privileged Account Manager 3.7.0.1
Privileged Account Manager 3.7
Situation
Checking out a credential from the My Access User Console reports the following error:
Error in account domain configuration. Contact your administrator.
The unifid.log reports the following:
Info, prvcrdvlt getVault client:localhost rc:0 status:200(Resource details of <Resource_Name> returned successfully.)
Info, prvcrdvlt getCredential client:localhost rc:0 status:200(Credential not found.)
Info, cmdctrl passwordCheckOut client:localhost rc:0 status:120004(Error in account domain configuration. Contact your administrator.)
Debug, https POST /SPF.Util client:<client_ip> rc:0 status:200(OK)
Info, prvcrdvlt getCredential client:localhost rc:0 status:200(Credential not found.)
Info, cmdctrl passwordCheckOut client:localhost rc:0 status:120004(Error in account domain configuration. Contact your administrator.)
Debug, https POST /SPF.Util client:<client_ip> rc:0 status:200(OK)
Resolution
This issue has been resolved since the release of Privileged Account Manager 3.7.0.2.
For more details, please review the Privileged Account Manager 3.7 Patch Update 2 Release Notes.
Workaround Steps:
Alternatively, follow the steps below if upgrading to the latest version of PAM isn't preferred.
- Edit the Resource from the Credential Vault:
- Select "By Script" for "Password Change (Check In)" from the "Password Management" section.
- Select a temporary Reconcile Account.
- Save.
- Edit the Resource again from the Credential Vault:
- Select the previously desired option for "Password Change (Check In)" from the "Password Management" section.
E.g. "Never" or "Delegate to Identity Manager" - Save.
- The Password Check Out should now work.
Cause
This is due to a bug in the product which has since been resolved. There is a requirement that a Reconcile Account be configured for the Resource despite having "Never" or "Delegate to Identity Manager" configured as the Password Change (Check In) option.