Environment
Privileged Account Manager 3.2.0.1
Microsoft Windows 2008 R2
Microsoft Windows 2008 R2 SP1
Microsoft Windows 2008 R2
Microsoft Windows 2008 R2 SP1
Situation
Session audits are not being captured on Windows 2008 R2 after updating to PAM 3.2.0.1
Rexec package status is registered, but offline
The update was previously installed successfully according to the Hosts Console Package Update
The following appears in the PAM Agent's unifid.log on the Windows server:
Error, init_audit line: 1720 rv=720006:The handle is invalid.
Error, NPUM driver is not initialized. Try restarting NPUM service or system restart.
Error, Failed to load module rexec: Unknown error
Rexec package status is registered, but offline
The update was previously installed successfully according to the Hosts Console Package Update
The following appears in the PAM Agent's unifid.log on the Windows server:
Error, init_audit line: 1720 rv=720006:The handle is invalid.
Error, NPUM driver is not initialized. Try restarting NPUM service or system restart.
Error, Failed to load module rexec: Unknown error
Resolution
PAM 3.2.0.1 requires at least Microsoft Windows 2008 R2 SP1 with Microsoft Security Advisory 3033929 Security Patch to support SHA-2 code signing. We recommend keeping Microsoft Windows on the latest security patches, which would avoid this particular issue.
After Windows has successfully been updated to the latest security patches or at least the requisite one mentioned above, please restart the server so the rexec module can start successfully.
After Windows has successfully been updated to the latest security patches or at least the requisite one mentioned above, please restart the server so the rexec module can start successfully.
Cause
Microsoft Windows needs to be able to verify the signature of PAM kernel drivers' SHA2 certificate.
Additional Information
For more details regarding this prerequisite Microsoft Security Patch, please refer to the following:
Microsoft Security Advisory 3033929
Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3033929
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=35b0920d-d4aa-48b9-bc23-bbd97afbd849
Microsoft Security Advisory 3033929
Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3033929
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=35b0920d-d4aa-48b9-bc23-bbd97afbd849