PAM › Admin Guide

Verify Password

Check whether a stored credential still matches what is configured on the target system, without changing it.

Verify Password

Overview

Verify Password lets GAccess confirm that a stored credential — a password or SSH key — still matches the actual configuration on the target system. It does this without making any changes, so it is safe to run at any time. Use this feature to detect credential drift caused by out-of-band changes, enforce compliance requirements, or diagnose access failures before they impact users.

How it works

When a verification is triggered, GAccess creates a verify job and routes it to a Gateway that can reach the target system. The Gateway retrieves the credential — which is transmitted in encrypted form — and attempts to authenticate against the target using the appropriate protocol (SSH, SMB, or LDAPS). It does not open a shell or perform any action after authenticating; authentication success or failure is the only outcome it measures.

The result is written back to the credential as a sync state: in_sync if authentication succeeded, out_of_sync if the credential was explicitly rejected, or unknown if the infrastructure itself could not be reached. The credential record is updated with a timestamp and, on failure, the reason code.

Verification can be triggered manually at any time by an administrator, or run automatically on a schedule defined by a Verification Policy attached to the credential.

Prerequisites

Before running a verification, confirm the following are in place:

Permissions

You must have the manage permission on the credential you want to verify.

Credential requirements

The credential type must not be Application. Application credentials do not support verification.
For Local and Private Key credential types, exactly one server must be associated with the credential. Credentials with zero or more than one associated server cannot be verified.
The credential must not be in a paused state (sync.pausedUntil must not be set to a future time). If paused, manual verification returns HTTP 429 until the pause expires or is cleared.

Gateway requirements

At least one Gateway must be available and reachable by GAccess.
For Domain credentials: at least one Gateway with the Account Discovery module enabled must be online.
For Local and Private Key credentials: at least one Gateway whose configured CIDR routes cover the target server's IP address must be online.

Scheduled verification

To enable automatic scheduled verification, a Verification Policy must be attached to the credential. Without a policy, only manual verification is available.

Admin Guide

Supported credential types and verification methods

Credential Type	Operating System	Protocol	Port	Notes
Local	Windows	SMB	445	5 s connection timeout
Domain	Windows or Linux	LDAPS (fallback LDAP)	636 (fallback 389)	NTLM authentication; DC resolved via `DOMAIN_CONTROLLERS` env var, DNS SRV, or DNS A record
Local	Linux	SSH (password)	22 (configurable)	`allow_agent=False`; 10 s timeout
Private Key	Linux	SSH (key auth)	22 (configurable)	Tries RSA → Ed25519 → ECDSA in order; 10 s timeout

Note: The port used for Local Linux and Private Key credentials can be customised at the server level. The values shown above are the defaults.

Configuring a Verification Policy

A Verification Policy controls how often scheduled verification runs and when GAccess stops retrying after repeated failures. Attach a policy to a credential to enable scheduled verification.

The fields that affect verification behaviour are:

Field	Description	Default
Interval	How frequently GAccess schedules a new verify job (e.g. every 24 hours). `verification.nextVerificationAt` advances by this interval each time a new scheduled job is created.	—
Max Consecutive Failures	Number of consecutive failures (auth or network) before the credential is paused for 24 hours. Range: 1–10.	3

Note: Credentials without an attached policy use a default max consecutive failures threshold of 2 before the 24-hour pause is applied.

Gateway requirements per credential type

Gateway selection is automatic. GAccess picks the most appropriate Gateway based on the credential type:

Domain credentials — Any Gateway with the Account Discovery module enabled. GAccess does not require the Gateway to have a specific route to the domain controller; the Gateway itself resolves the DC.
Local and Private Key credentials — The Gateway whose CIDR route table best covers the target server's IP address (longest-prefix match). If no Gateway has a matching route, the job cannot be dispatched and the verify attempt returns an error.

If no suitable Gateway is available at the time a verify job is created, the job is rejected immediately with HTTP 400.

Understanding sync states

The sync.state field on a credential reflects the most recent known result of verification.

State	Meaning	When it appears
`in_sync`	The stored credential matches the target system.	After a successful verification.
`out_of_sync`	Authentication was explicitly rejected; the credential does not match the target.	After an `auth_failed` or `auth_key_format` error.
`unknown`	Verification could not complete due to an infrastructure or network error.	After a `connection_timeout`, `connection_failed`, `dc_resolution_failed`, or `unknown_error`.
`verifying`	A verify job is currently running for this credential.	While a job has status `running`.
`not_applicable`	This credential type does not support verification.	For `Application` type credentials.

Note: Both out_of_sync and unknown increment the consecutiveFailures counter. The distinction matters for diagnostics: out_of_sync means the credential value is wrong; unknown means the infrastructure could not be reached and the credential value is still indeterminate.

Account lockout protection

GAccess includes a lockout protection mechanism to prevent repeated verification attempts from locking out an account on the target system.

How it works:

Every failed verification — whether caused by an authentication rejection or a network error — increments the sync.consecutiveFailures counter on the credential. When the counter reaches the configured threshold, GAccess automatically pauses verification for that credential for 24 hours.

When a credential is paused:

sync.pausedUntil is set to 24 hours from the moment the threshold was reached.
All pending verify jobs for the credential are cancelled immediately.
Any new manual verify attempt returns HTTP 429, including the pausedUntil timestamp in the response.
The scheduler skips the credential until pausedUntil expires.

Thresholds:

Credentials without an attached Verification Policy: 2 consecutive failures trigger a 24-hour pause.
Credentials with an attached Verification Policy: the policy's Max Consecutive Failures value (default 3, range 1–10) is used.

Warning: Both authentication failures (out_of_sync) and infrastructure failures (unknown) count toward the consecutive failure threshold. A series of network timeouts caused by a misconfigured gateway will pause the credential just as quickly as a wrong password would.

Resuming early:

An administrator with manage permission on the credential can clear the pause before the 24 hours elapse by calling:

POST /credentials/:id/resume-verification

This clears sync.pausedUntil and resets sync.consecutiveFailures to 0. Scheduled verification resumes on the next scheduler cycle; manual verification becomes available immediately.

Note: Manual (ad-hoc) verify jobs are not automatically resubmitted after a failure. Once a manual job fails, the result is recorded and the job ends. Only scheduled jobs use the retry and backoff logic described in the next section.

Scheduled verification behaviour

When a Verification Policy is attached to a credential, the GAccess scheduler creates verify jobs automatically.

Normal flow:

The scheduler runs periodically and checks whether verification.nextVerificationAt <= now.
If the condition is met and no rotation or verify job is already pending or running, a new verify job is created with triggerType: "scheduled".
verification.nextVerificationAt is advanced by the policy interval.
The Gateway polls for and claims the job, executes the verification, and reports the result.

Retry and backoff on failure:

When a scheduled verify job fails, GAccess does not immediately retry. Instead, it re-queues the job with an exponential backoff delay:

Attempt	Backoff delay
1st failure	10 minutes
2nd failure	20 minutes
3rd failure	40 minutes
4th failure	80 minutes
5th failure and beyond	120 minutes (maximum)

The formula is min(2^attempt × 5, 120) minutes. Backoff-scheduled jobs are only claimed by the Gateway after their scheduled time; the Gateway's poll endpoint skips jobs where createdAt > now.

Pause after repeated failures:

Retries continue until consecutiveFailures reaches the policy's Max Consecutive Failures threshold. At that point, the credential is paused for 24 hours as described in the Account lockout protection section above.

Note: The verification.nextVerificationAt field advances by the policy interval when the scheduled job is first created, regardless of whether the job ultimately succeeds or fails. Retrying a failed job does not delay the next regular scheduled cycle.

User Guide

Running a one-time verify

Use this when you want to immediately check whether a credential is still valid — for example, after a suspected out-of-band change or before granting access to a sensitive system.

Navigate to Privileged Access → Credentials and open the credential you want to check.
Confirm you have the manage permission on the credential (the Verify action will be visible if you do).
Click Verify Password (or Verify Key for SSH key credentials).
GAccess creates a verify job and the credential's sync state changes to verifying.
Wait for the job to complete. Depending on network conditions and the target system, this typically takes a few seconds. Refresh the credential view to see the updated sync state.
Review the result. See Interpreting the result below.

Note: If you see an error when clicking Verify, check the Troubleshooting section for common causes such as a missing gateway, a paused credential, or an unsupported credential type.

Interpreting the result

After a verify job completes, the credential displays one of the following sync states:

State	Plain-language meaning	What to do
`in_sync`	The stored password or key is correct. The credential works on the target system.	No action needed.
`out_of_sync`	The stored credential was rejected. The password or key no longer matches what is on the target system.	Rotate the credential to bring it back in sync, or manually update it to match the current value on the target.
`unknown`	GAccess could not reach the target system to verify. The credential may be correct, but this cannot be confirmed.	Check network connectivity, gateway availability, and firewall rules. See the error reason for details.
`verifying`	Verification is currently in progress.	Wait for the job to complete and refresh the page.

The credential detail view also shows:

Last verified at: when the most recent successful or failed verification completed.
Reason: a normalised code explaining why verification failed (only present when state is out_of_sync or unknown).
Reason detail: the raw error message from the Gateway, useful for diagnosing infrastructure issues.

What to do when a credential is out of sync

An out_of_sync state means the stored credential value does not match the target system. This usually happens because the password was changed outside of GAccess — for example, by a system administrator directly on the server.

Recommended steps:

Determine the current valid password or key for the account on the target system.
If GAccess manages rotation for this credential, trigger a Rotate operation to generate and set a new password automatically.
If the credential is managed manually, edit the credential in GAccess and update the stored value to match the current value on the target.
After updating, run another manual verification to confirm the credential is now in_sync.

Warning: Leaving a credential in out_of_sync state means that any session or automated process relying on that credential through GAccess will fail to authenticate against the target. Resolve the mismatch promptly.

What to do when verification is paused

A paused credential has reached its consecutive failure threshold and will not be verified again — either manually or by the scheduler — until the pause expires or is cleared.

What you will see:

The sync state shows the last known state (out_of_sync or unknown) along with a pausedUntil timestamp.
Attempting to run a manual verify returns an error indicating the credential is paused and showing when the pause expires.

Options:

Wait for the pause to expire. The pause lasts 24 hours from the moment the threshold was reached. Scheduled verification resumes automatically.
Resume early. If you have manage permission on the credential, you can clear the pause immediately. Go to the credential detail view and click Resume Verification, or use the API:
```
POST /credentials/:id/resume-verification
```
This resets consecutiveFailures to 0 and clears pausedUntil. Verification becomes available again immediately.

Warning: Before resuming, investigate why verification failed repeatedly. If the credential is out_of_sync, resuming will immediately re-attempt verification and fail again, quickly re-triggering the pause. Resolve the underlying credential mismatch or infrastructure issue first.

Troubleshooting

Symptom	Likely cause	Recommended action
HTTP 409 when triggering manual verify	A rotation or verify job is already `pending` or `running` for this credential.	Wait for the existing job to complete, then retry.
HTTP 429 when triggering manual verify	The credential is paused due to consecutive failures. Response includes `pausedUntil` timestamp.	Wait for the pause to expire, or use `POST /credentials/:id/resume-verification` to clear it early. Investigate the root cause before resuming.
HTTP 400 — no gateway available	No suitable Gateway is online or has routes covering the target server's IP (Local/Private Key) or no Gateway has the Account Discovery module enabled (Domain).	Check that at least one Gateway is online and healthy. For Local/Private Key credentials, verify that the Gateway's CIDR routes include the target server's IP. For Domain credentials, verify that at least one Gateway has Account Discovery enabled.
HTTP 400 — unsupported credential type	The credential is of type `Application`, which does not support verification.	No action; verification is not available for Application credentials.
HTTP 400 — server association error	A non-Domain credential has zero or more than one server associated.	Edit the credential to associate exactly one server, then retry.
Sync state stuck on `verifying`	The Gateway claimed the job but has not reported a result. Could be a Gateway crash, network interruption, or an unusually slow target.	Check the Gateway's health and logs. If the Gateway is offline, the job will remain in `running` state until the Gateway recovers and reports the result, or until an administrator cancels the job.
Repeated `unknown` state with `dc_resolution_failed`	The Gateway cannot resolve a Domain Controller for the credential's domain.	Check the `DOMAIN_CONTROLLERS` environment variable on the Gateway. Verify that DNS SRV records (`_ldap._tcp.dc._msdcs.<domain>`) are correctly configured and reachable from the Gateway.
Repeated `unknown` state with `connection_timeout` or `connection_failed`	The Gateway cannot reach the target server. Could be a firewall rule, routing issue, or the server being offline.	Verify network connectivity from the Gateway to the target server on the expected port (22 for Linux SSH, 445 for Windows SMB, 636/389 for LDAPS/LDAP). Check firewall rules and routing tables.
Credential keeps returning `out_of_sync`	The stored credential value does not match the target, and the underlying mismatch has not been resolved.	Update the credential value in GAccess to match the target, or trigger a rotation to set a new known value. After resolving, run a manual verify to confirm.
Verify job never picked up by Gateway	Gateway poll interval may be long (default 30 s), or the Gateway is offline. A backoff-scheduled retry job will not be picked up before its scheduled time.	Check Gateway connectivity and health. For backoff-scheduled jobs, the delay is intentional; wait for the scheduled time.

Reference

Sync state reference

State	Display label	Description	Recommended action
`in_sync`	In Sync	The stored credential matches the target system. Authentication succeeded on the last verification.	No action required.
`out_of_sync`	Out of Sync	Authentication was explicitly rejected. The stored credential does not match the target.	Update or rotate the credential to restore a matching value, then re-verify.
`unknown`	Unknown	Verification could not complete due to a network or infrastructure error. The credential value is indeterminate.	Investigate network connectivity, gateway health, and firewall rules. Check `reasonDetail` for the raw error.
`verifying`	Verifying	A verify job is currently in progress.	Wait for the job to complete.
`not_applicable`	Not Applicable	This credential type does not support verification.	No action; this state is permanent for `Application` type credentials.

Error reason reference

Reason code	Description	Category	Recommended action
`auth_failed`	The credential was explicitly rejected by the target system. The password is wrong or the SSH key is not in the target's `authorized_keys`.	Authentication	Update the stored credential value to match the target, or rotate to set a new value.
`auth_key_format`	The SSH private key stored in GAccess is malformed, or its passphrase is incorrect.	Authentication	Re-upload a valid private key. Verify that the passphrase (if any) is correct.
`connection_timeout`	The connection attempt to the target system timed out before a response was received.	Infrastructure	Check that the target is reachable from the Gateway on the expected port. Check firewall rules and routing.
`connection_failed`	The host was unreachable, the port was closed, or the connection was refused.	Infrastructure	Verify the target server is online and the service (SSH, SMB, LDAPS) is running. Check port availability and firewall rules.
`dc_resolution_failed`	No Domain Controller could be resolved for the credential's domain.	Infrastructure	Verify `DOMAIN_CONTROLLERS` env var on the Gateway, or confirm DNS SRV records for `_ldap._tcp.dc._msdcs.<domain>` are reachable.
`unknown_error`	An unexpected error occurred during verification.	Infrastructure	Check `sync.reasonDetail` for the raw error message. Review Gateway logs for further context.

Retry backoff schedule

Applies to scheduled verify jobs only. Manual (ad-hoc) jobs are not retried.

Failure number (attempt)	Backoff delay before next retry
1	10 minutes
2	20 minutes
3	40 minutes
4	80 minutes
5 and beyond	120 minutes (maximum)

Formula: min(2^attempt × 5, 120) minutes. Retries stop when consecutiveFailures reaches the Max Consecutive Failures threshold defined on the attached Verification Policy. At that point the credential is paused for 24 hours.