External Credential test fails: Invalid Target Specified

Report Inappropriate Content · ‎07-02-2020

We have setup External Credentials to use CyberArk and have verified all communication ports between the MID server and our Cyberark instance are open. We have followed all the documentation steps and are at the point of creating the credential record with the Credential ID we setup in the CyberArk safe but yet when we use that credential to connect to a known server that we can connect directly without the external credential store we get the following failure:

Invalid target specified

We have MID server debugging in place but on the mid server the logs do not show any information about this.

What can we do to figure out how to move past this failure?

Ashutosh Munot1 · ‎07-02-2020

HI,

You can see the cyber Ark logs on MID Serve if you have AIM agent installed there.

So what happens is there is automatically on account created in cyberark which starts with prov_midservername.

You need to add this account and the servicenow_mid_application account as member of the safe where you need access to.

Also check the webpool of cyberark if the application id is in there or not.

Thanks,
Ashutosh

chuckm · ‎07-03-2020

As Ashutosh Munot suggested, the CyberArk logs (located on the MID Server) are helpful in troubleshooting and can help you get past the failure. The CyberArk logs are located on the MID server where the CyberArk AIM client is installed in the following directory (default installation):

C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Logs

There are 3 separate CyberArk log files in the Logs directory: 1) APPConsole, 2) APPAudit, and 3) APPTrace. The APPConsole and APPAudit are helpful in troubleshooting. The APPConsole log shows if the CyberArk AIM client is communicating successfully with the CyberArk Vault. The APPAudit log shows successful password retrievals from the CyberArk Vault. The diagram below is referenced in the examples.

Note: Stopping and restarting the CyberArk Application Password Provider service will archive the logs to the C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Logs\old directory and start with clean log files.

APPConsole
The APPConsole log shows if the CyberArk AIM client is successfully communicating with the CyberArk Vault. Successful communication with the CyberArk Vault generates 3 separate log entries in the APPConsole log file as shown.

[05/07/2020 | 13:09:48] | :: | APPAP032I Main parameters file [main_appprovider.conf.Win64.10.05] was loaded successfully
[05/07/2020 | 13:09:48] | :: | APPAP258I Supported addresses for this provider [10.10.10.10;SNOWMID01;SNOWMID01.lab1.com]
[05/07/2020 | 13:09:48] | :: | APPAP035I Application Password Provider [Prov_SNOWMID01] on machine [10.10.10.10] version [10.5.1.3] is up [AIM Mode] and working with Vault [10.20.20.20]

APPAudit
The APPAudit log shows successful password retrievals from the CyberArk Vault. In the example, one credential was successfully retrieved from the CyberArk Vault (Provider Prov_SNOWMID01 has successfully fetched password).

[05/07/2020 | 13:10:22] | :: | APPAU001I Provider Prov_SNOWMID01 has successfully fetched password [safe=ccc,folder=ccc,name=ccc] with query [safe=ccc;folder=ccc;object=ccc] for application [ccc]. Fetch reason: []

When troubleshooting, I suggest starting with the APPConsole log first (3 log entries to determine successful communication to CyberArk Vault). Then, looking at the APPAudit log file to determine successful credential retrievals (APPAU001I Provider Prov_SNOWMID01 has successfully fetched password).

P-Rudenko-SN · ‎01-04-2021

Hello, have you had a chance to fix the issue?

We have the same one, but the log files doesn't say much, looks like Cyberark is properly configured but we still get the 'Invalid target specified' issue.

Swarup Devaleka · ‎01-12-2021

Make sure the discovery credentials form view should be "External Credentials View" while performing credential test.