Password conflict detection and resolution

Sometimes, a managed account may inadvertently store more than one candidate password. This could be due to the agent returning an unexpected result after a password reset, two replication nodes simultaneously randomizing the same managed account's password, or when the Privileged Access Manager Service (idarch) halts during a password reset. As a result, it is uncertain whether the password was successfully randomized on the managed system, so it is considered a working password in the interim.

Bravura Security always recommends deploying Bravura Privilege servers in a replicated environment for redundancy. Given the multi-master design of Bravura Privilege replication, it’s becoming increasingly common to deploy these redundant nodes behind a load balancer as well. When end user connections are distributed across multiple Bravura Privilege nodes, there is a risk that an end user’s randomization of an account on one node will coincide with a scheduled randomization of that same account on another node. Bravura Privilege includes technology for automatically detecting coincident randomizations and resolving the conflicts that arise from them.

The following sections describe the methods used for detecting and resolving conflicts and give examples of how to troubleshoot issues. In all examples used, unless otherwise specified, there are assumed to be only two nodes using classic (non-shared schema) replication.