Release Notes › General Considerations › PUPM Considerations

PUPM Considerations

This section describes items you should consider when using PUPM.

Windows Agentless Connector Task Scheduler Limitations on Windows Server 2008

Valid on Windows 2008 Server

To manage scheduled tasks on a Microsoft Windows 2008 server Windows Agentless endpoint from a Windows Server 2003, you must modify the settings on the Microsoft Windows 2008 server:

Important: Verify that the user account you specify to manage scheduled tasks is a member of the local Administrators group.

Follow these steps:

1. Click Start, Administrative Tools, Windows Firewall with Advanced Security.

   The Windows Firewall with Advanced Security dialog opens.

2. Click Change Settings.

   The Windows Firewall Settings dialog appears.

3. Click the Exceptions tab and select the File and Print Sharing Exception check box.
4. Click OK and exit.
5. Enable the Remote Registry service. Run the following command from a command-prompt windows:

   net start "Remote Registry"
   

Cannot View Endpoint Types in CA Access Control Enterprise Management

Valid on Windows Server 2003

Symptom:

I cannot select an endpoint from the Endpoint Types pull down menu after installing the Enterprise Management Server.

Solution:

SSL communication is selected by default when installing the Java Connector Server (JCS) during the Enterprise Management Server installation. Remove the secure communication as a temporary fix to resolve the error.

Follow these steps:

1. In CA Access Control Enterprise Management click System, Connection Management, Connector Server, Modify Connector Server.

   The Modify Connector Server: Select Connector Server page appears.

2. Search for the java connector server type.

   The search result displays the Java Connector Server.

3. Select the option next to the Java Connector Server and click Select.

   The Modify Connector Server: page appears.

4. Replace the Port value to 20410.
5. Clear the Secured checkbox.
6. Click Submit.

   The Modify Connector Server: page appears with the status message.

7. Click OK.

   The changes are saved and the Java Connector Server is modified.

8. Open a command prompt window and enter the following command to stop CA Access Control:

   secons -s
   

9. Open a command prompt window and enter the following command to start CA Access Control:

   seosd.exe -start
   

10. (Optional) Verify that the Endpoint Types were added by performing the following steps:
    1. In CA Access Control Enterprise Management, click Privileged Accounts, Endpoints, Create Endpoint.

       The Create Endpoint: Select Endpoint page appears.

    2. Select the Create a new object of type Endpoint option and click OK.

       The Create Endpoint page appears.

    3. Click the Endpoint Type drop-down menu.

       Verify that the Endpoint types are available.

Page Refresh Required After Password Check In

A page refresh is required after you terminate a remote session login to an endpoint. CA Access Control Enterprise Management checks in the account password, but does not update the account status.

Specify the PUPM Endpoint NETBIOS Name and Not the DNS Domain Name

When you create a PUPM endpoint in CA Access Control Enterprise Management, the host name that you specify in the Name field must match the host name that appears in World View.

If the endpoint is an Active Directory endpoint, specify the NETBIOS domain name in the Host Domain field. If the endpoint is not an Active Directory endpoint, specify the NETBIOS host name in the Host Domain field, not the DNS domain name. For example, if an endpoint is not an Active Directory endpoint, specify the NETBIOS host name (ACSERVER) in the Host Domain field and not the endpoint DNS domain name (acserver.company.com).

If you specify the DNS domain name, advanced features, such as PUPM Automatic Login, fail.

You Cannot Configure More Than a Single CA Identity Manager Provisioning Connector Server

Do not configure more than a single CA Identity Manager provisioning connector server in CA Access Control Enterprise Management.

Cannot Configure CA Identity Manager Provisioning Connector Server Using SSL Port

When you configure an CA Identity Manager provisioning connector server, do not specify the CA Identity Manager provisioning server SSL port (20390). If you specify the connector server SSL port, the connection to the connector server fails.

PUPM Windows Agentless Connector for Active Directory Search Limitations

When using the PUPM Windows Agentless connector to connect to Active Directory the wild card (*) and retrieve all search options do not work. To search for users you must supply the specific account details.

Do Not Execute the PUPM Privileged Accounts Discovery Wizard on More Than One Endpoint Type Concurrently

PUPM does not support running the Privileged Accounts Discovery Wizard on more than one endpoint type concurrently. Running the wizard on more than one endpoint type concurrently results in failure to create privileged accounts in the PUPM database or, failure to reset the account passwords on discovery.

Always run the discovery wizard on one endpoint type at a time, verify that the wizard successfully completed the tasks and then run the wizard on another endpoint type.

Maximum Recommended Records in the PUPM Feeder CSV is 500 Endpoints or Accounts

We recommend that you limit the number of endpoints or accounts in a single PUPM feeder CSV file to 500.

Cannot Use PUPM to Change Password for the Expert Account

If you use a Check Point firewall on an SSH endpoint, you cannot use PUPM to change the password for the expert account on the endpoint. This restriction means that the expert account must be a disconnected account in PUPM.

SQLCMD Utility Does Not Support Blank Passwords

Valid on SQL Server

The SQL Server command utility sqlcmd does not support blank passwords. If you defined the SQL Server endpoint as a password consumer in CA Access Control Enterprise Management and check out a password from PUPM, do not leave the password field empty. You can specify the account password or any other string as the password.