CyberArk Troubleshooting

June 12, 2024

This blog includes some common CyberArk issues to troubleshoot with their related fixes. Hopefully this will help you in your current or future CyberArk role.

As always, validate these items in your lab and follow your own company’s change or ticket processes in relation to fixing things.

CyberArk Central Policy Manager (CPM) services won’t start — Wrong Password

Problem: The CyberArk Password Manager service’s account (local or domain) being used has the incorrect password being used or the account’s password expired.
Fix:
Click on Start
Open Services.msc
If the account being utilized for the CPM service has the wrong password, reset the account’s password either locally or against the domain.
Update the CPM service on the CPM server with the correct new password.
Start the CPM service.

CyberArk Central Policy Manager (CPM) services won’t start — Log on as a service

Problem: If the account being utilized for the CPM service isn’t allowed to “log on as a service”, the service simply won’t be able to start.
Fix:
If your CPM server is Active Directory domain joined, these are normally set via the CyberArk CPM Hardening group policy included with CPM install files. In Group Policy Management, open your related CyberArk CPM GPO. Make sure these items are set and applying to your CPM servers: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments, Logon as a service = NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, PasswordManagerUser, ScannerUser
IMPORTANT — Note that there are other required CPM settings under User Rights Assignments, however this one specifically will allow the CPM service to start with the local PasswordManagerUser account.
On the CPM server, run command prompt as admin, then run gpupdate /force to force the new GPO settings to apply.
Click on Start
Open Services.msc
Start the “CyberArk Password Manager” service.

ITATS426E Safe <safe> is out of space —

Problem: Accounts passwords wont change and/or are throwing CPM errors. The Vault’s ITAlog is showing safe out of space errors.
Fix:
Log onto your Vault with the PrivateArk Client.
Find the related safe that’s out of space and click open
Right click on the safe and choose properties.
Expand the max safe size; normally double the value however it depends on how many accounts and use the safe has and how often this occurs.
Retry CPM rotation of the related errored out account. This may include resuming CPM operations on the account(s) within the safe.

PSM Connections don’t work — “The privileged session could not be established securely. Contact your system administrator”

Problem: This error, “The privileged session could not be established securely. Contact your system administrator”, can indicate a number of things wrong related the the PSM being used.
Possible Fixes:
Ensure the PSMConnect local account on the PSM server is within the Remote Desktop Users group.
Ensure the PSMConnect local account on the PSM server is not locked out. If lockouts persist, review and determine if the PSM server(s) are configured correctly related to the screensaver being disabled, or idle RDP sessions being disconnected prior to the lock screen on the PSM taking effect.
Ensure the PSMConnect local account on the PSM server is not showing as expired.

ITATS433E IP Address is suspended for User

Problem: This error indicates the related account is locked out on the vault. When looking up the account it will show “suspended” under the Trusted Network Area.
Fix:
Log onto your Vault with the PrivateArk Client.
Open Tools>Administrative Tools > Users and Groups > Select user > Trusted Network Areas.
Click Activate
Have the user retry logging in.

AppLocker is not happy! Applications won’t launch via PSM

Problem: Normally caused from an upgrade, new install of PSM, or when deploying a new application on PSMs, the related PSMConfigureAppLocker.xml file doesn't not have the correct configurations to allow list within AppLocker.
Fix:
Log onto the broken PSM server.
Navigate to the PSM Hardening folder — Default location: ‘C:\Program Files (x86)\CyberArk\PSM\Hardening’
Edit the PSMConfigureAppLocker.xml file and include a line allowing the related exe or file(s) to be allowed. See others listed for examples. Alternatively, if you have a separate functional PSM server, you can compare xml files and copy/paste the working xml file over to the broken PSM server for use instead to simply things and retain consistency.
Open Powershell as admin within the same folder.
Rerun PSMConfigureApplocker.ps1
Rerun PSMhardening.ps1 …*note - This will restart the PSM service and will boot off any current user PSM sessions for the PSM server.
Retry the PSM connections with the application(s) using the now hopefully fixed PSM server.