How Credentials Work in Protect

Version 10

    Purpose


    This document is meant to provide a full overview of how credentials are entered, used, and work within the Shavlik Protect product.

     

    Description

     

    Credential Precedence for Physical Machines and Online Virtual Machines

    Initiating actions from the home page, from a machine group, or from a favorite

    The home page, machine groups and favorites can be used to initiate actions, patch scans, asset scans, power management, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

    1.   If one or more of the following are available,  the credential with the highest precedence will be used. The precedence order is as follows:

          a. Machine-level credentials

          b. Group-level credentials

          c. Integrated Authentication (Kerberos)

          d. Default Credentials

     

    Example: If machine-level credentials are not available but group-level credentials are available, the program will use the group-level credentials.

    1.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

    If neither of these credentials work, the scans and the power management tasks will fail.

    One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.

     

    Initiating an agent installation from a machine group

    When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.

    Initiating actions from Machine View or Scan View

    When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:

    1.   If one or more of the following are available, the Protect console will try to authenticate using the credential with the highest precedence, where the precedence order is as follows:
      1. Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supply Credentials for Machines (used if the scan credentials are invalid or missing, for example, if an agent performed the scan rather than the console)

    2.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

    Note: Integrated credentials will not work for deployments to offline virtual machines or for re-scans.

    If neither of these credentials work then the action will fail.

    Initiating an agent installation from Machine View or Scan View

    When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.

     

    Credential Precedence for Offline Hosted Virtual Machines

    Initiating actions from the home page, from a machine group, or from a favorite

    The home page, machine groups and favorites can be used to initiate patch scans, asset scans, and power management actions and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each offline hosted virtual machine using the browse credentials.

    Initiating actions from Machine View or Scan View

    When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the credentials that will be used to authenticate to an offline virtual machine depends on the power state of the machine when it was initially scanned.

    If a machine was originally scanned in offline mode

    The program will attempt to authenticate using the browse credentials.

    If a machine was originally scanned in online mode

    The program will attempt to authenticate using a variety of credentials and will do so using the following strategy:

    1.   Try using any manually or automatically assigned managed machine credentials
    2. If the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:

      1. The administrator credential from the machine group. If the administrator credential exists but fails, the default credentials will not be tried.

      2. Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))

    3.   If the credentials used above do not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

    Note: Integrated credentials will not work for deployments to offline virtual machines or for re-scans.

    If none of these credentials work then the action will fail.

     

    Defining Credentials

    The Define Credential dialog can be accessed anywhere a credential is used within the Shavlik Protect interface (for example, from a machine group, from the Credentials Manager, etc.). It is used to specify a new user name and password pair that collectively define one credential. The credential is stored with strong encryption techniques. Only the administrator that creates the credential will be able to decrypt the credential and access it from within the program. If you elect to share the credential, however, it will be made available to other administrators as well as to Shavlik Protect service components.

     

    Note: Credentials may be automatically defined for you during a product upgrade or when importing a machine group. Any credentials that are found during these processes are preserved and will be assigned friendly names according to their usage. The term Discovery filter is the friendly name assigned by the program to a machine group credential that it identifies during an upgrade or import process. Feel free to change the name to something that more closely reflects the usage of the credential in your organization.

     

    define_cred.jpg

     

    Name this credential so it can be used elsewhere

    Provide a friendly name for this credential that describes exactly where it should be used.

    User name

    Type a user name that has access to the machine(s). When specifying the user name:

    • If you need to specify a domain as part of the credentials be sure to include the domain name as part of the user name. For example, if you enter User@<Domain>, <Domain>\User, or a fully qualified user name, Shavlik Protect will use the domain account rights.
    • If you enter <Target Machine>\User, Shavlik Protect will use the target's local account rights.

    • If you do not include a domain or machine as part of the user name, the name will be qualified to the target machine (<targetmachinename>\User).

    • Microsoft Windows .alias name formats (for example: '.\username') are supported by Shavlik Protect.

    Password

    Type the password for the user.

    Verify password

    Retype the password to verify you specified it correctly.

    Share this with background tasks, agents, and other features

    If enabled, this credential will be available to all Shavlik Protect administrators and can be used to specify credentials for service components within the program. The service components within Shavlik Protect that require a shared credential include the following:

    • Proxy service
    • Email service

    • Agent internet proxy

    • Distribution servers

    • TrustedHost list access when running remote scripts

    Why is it necessary to share a credential? Credentials are encrypted, so you must share a credential so that the service components can decrypt and access it when needed.

    Example: If you select Tools > Options > Proxy and attempt to assign Service credentials, only shared credentials are available for selection. The service must have a copy of the credential in order to decrypt it.

    Note: It is recommended that you create a service account to perform these service functions rather than using a domain administrator account. See Potential Security Implications When Sharing Credentials for more information.

     

    Supplying Scan Credentials for Target Machines

    Note: Browse credentials are slightly different from the scan credentials described in this section. Browse credentials are used by servers, domains, and organizational units to enumerate machines but do not actually authenticate to the individual machines.

     

    This section provides information on how to define new scan credentials and how to assign the credentials to target machines. Credentials consist of a user name and password pair used to authenticate the program to specified target machines. One credential can be associated with any number of operations or entities. The credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.

     

    The scan credentials you supply will be used to access remote machines, perform any scans, and push any necessary files. The supplied credentials will NOT be used to:

    •   Authenticate to the local (console) machine

    Rather, the program uses the credentials of the currently logged on user to authenticate to resources on the local machine. Therefore, in order to perform tasks on the local machine, make sure you log on using an account that has administrator and local machine access rights.

    •   Perform a patch deployment

    The machine credentials that you supply are used to provide access to the remote machine and to push the necessary patch deployment files. The actual deployment, however, will be run under the remote machine's Local System account.

    You use a machine group to initially assign scan credentials to target machines. You can assign credentials to individual machines, to all machines in a machine group, or both. After a machine has been scanned and is contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials if desired.

     

    Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

    Assigning Credentials to Individual Machines in a Machine Group

    To assign credentials to one or more machines in a machine group, in the bottom pane select the machines and then select Credentials > Set Admin Credentials.

    assigning_creds1.jpg

    On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

    assigning_creds2.jpg

    When credentials are applied to the selected machines, the icon in the Admin Credentials column will become active. In addition, the name of the assigned credential is displayed next to the icon.

    assign_creds_tiny.jpg

    Assigning Credentials to All Machines in a Machine Group

    To assign credentials to all machines in a machine group, in the top pane select Credentials > Set Credentials.

    assigning_creds3.jpg

    On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.

    assigning_creds2.jpg

    When credentials are assigned the icon will contain a check mark:

    assign_creds_tiny.jpg

    In addition, the button name will change to the name of the assigned credential.

    Assigning Credentials to Virtual Machines

    There are several different tabs that can be used to add virtual machines to a machine group. The credentials that will be used to scan and/or deploy patches to these machines depends on how the machines are defined to the group and on the current power state of each machine.

    • Hosted Virtual Machines tab: Used to add virtual machines that are hosted by a server. The credentials used to scan each machine depends on the current power state of the machine.
      • A hosted virtual machine that is offline at the time of a scan will be accessed using the server's browse credentials. Any individual credentials supplied for the machine are ignored.

    assigning_creds4.jpg

      • A hosted virtual machine that is online at the time of a scan will be accessed using scan credentials for that machine. See Assigning Credentials to Individual Machines in a Machine Group, above.

    assigning_creds5.jpg

    • Workstation Virtual Machines tab: Used to add offline virtual machines that reside on individual workstations. You should assign individual machine credentials for each virtual machine defined using this tab. If appropriate, credentials can also be assigned at the machine group level. The credentials are used during the mounting process and provide permission for Shavlik Protect to access the virtual machine files on the workstation. See Assigning Credentials to Individual Machines in a Machine Group, above.
    • Machine Name tab, Domain Name tab, or IP Address/Range tab: Used to add virtual machines that reside on individual workstations and that are online at the time of a scan. See Assigning Credentials to Individual Machines in a Machine Group, above.

    Assigning New Credentials to Machines After They Have Been Scanned

    After one or more machines have been scanned and are contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials or to remove credentials.

     

    There may be several reasons for providing different credentials to machines after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

    assigning_creds6.jpg

     

    Managing Credentials

    Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.

    The Credentials Manager is used to manage all credentials used within the program. It is also used to set the default credential for the program.

    Although you can supply new credentials from several different areas of the program, all of the credentials can be edited and deleted from this single location. This greatly simplifies the credentials management process. For example, if a password that is used to authenticate a specific group of machines changes, you simply use the Credentials Manager to update the associated credential. All items assigned to that credential are automatically updated with the new password.

     

    To manage the credentials used by the program, select Manage > Credentials.

    manage_creds1.jpg

     

    Add

    Enables you to add a new credential.

    Edit

       Enables you to modify the selected credential.

    Delete

    Deletes the selected credential. You can delete multiple credentials at the same time.

    When you delete a credential the following occurs:

    • The credential itself is deleted
    • All usages of the credential throughout the program are deleted

    • If it is a shared credential, the shared credential and all its usages are deleted

    Caution! Any items using the deleted credential will no longer be assigned a credential. Before you delete a credential you should browse your machine groups to verify the credential is not being used.

    Merge

    Tip: This credential cleanup tool will typically be used immediately following an upgrade from an earlier version of Shavlik Protect that does not contain the Credentials Manager.

    Enables you to merge one or more credentials that contain the same user name and password with another credential entry that also contains the same user name and password. Or you can merge several different credentials into one new credential that is effective in all situations. By eliminating duplicate and unneeded credentials you reduce confusion and lessen the chance for human error.

    1. On the Credentials Manager dialog select the credential(s) you want to merge with another credential.
    2. Click Merge.

    The Merge Credentials dialog is displayed. For example:

    manage_creds2.jpg

    1. At the bottom of the dialog do one of the following:
    • Select an existing credential: The credential(s) specified in the Confirm credentials to merge list will be merged with the credential you select here.
    • Create a new credential: The credential(s) specified in the Confirm credentials to merge list will be merged with the new credential you create here.

    Note: A shared credential can only be merged with another shared credential. Therefore, if any of the credentials in the Confirm credentials to merge list are shared, then (1) only shared credentials will be offered for selection in the Existing box, and (2) any new credential you create will automatically be defined as a shared credential.

    1. Click Merge.
    2. Read the message on the confirmation dialog and if you agree with the merger, click Merge.

    View usages

    Enables you to see how and where the selected credentials are being used in the program. Only those credentials that are currently being used in the program will be displayed in the Credential Usages dialog. A credential may be listed multiple times if it is used in different areas of the program.

    manage_creds3.jpg

    You can right-click on any list item and perform a number of different actions.

    • Assign different credential: Enables you to assign a different credential to the selected item(s). You can assign a different credential to multiple items at once but only if they all have the same Shared Usage value (Yes or No).
    • Expand all: Expands all lists.

    • Collapse all: Collapses all lists.

    • Export selected credential usages to CSV: Export information about the selected items to a Comma Separated Values (CSV) file. The CSV file can then be used within a spreadsheet program.

    Set as default

    Assigns the selected credential as the default credential. The program will use the default credential if other credentials are missing or invalid.

    Clear default

    Removes the default credential assignment.

    User Name

    Displays the user name portion of each credential.

    Name

    Displays the unique name assigned to each credential.

    Shared

    Displays whether the credentials are shared credentials. The information in this column is directly related to the Share this with background tasks, Agents, and other features check box on the Define Credential dialog.

     

     

    Managing Individual Machine Properties (Explicitly supplied credentials)

    You can set explicit credentials for machines via View > Machines > Right Click a machine > Machine Properties.

     

    Manage_Machine_Properties.jpg

    Credential: Specifies the credential used when authenticating Shavlik Protect to the machine. The credential you supply here will override credentials specified in other areas of the program. If you select None you effectively remove the credential currently assigned to the machine.

     

    There may be several reasons for providing different credentials to a machine after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.

     

    How Shavlik Protect Manages Multiple Administrators

    Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:

    • The program will not allow duplicate group names or template names
    • The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:

    another_user.jpg

    • Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
      • Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.

     

    Best Practices When Using Multiple Administrators

    Recommendations

    • You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks.
      • Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM

      • For each additional administrator, add 1 processor core and 1 GB RAM

      • For a high performance system, use 16 processor cores and 32 GB RAM

    • When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.

    • If you edit a group that is typically used by another administrator you should notify that person about the change.

    • Each administrator should create their own credentials and assign them to machines.

    • Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.

     

    Potential Issues When Using Multiple Administrators

    Usage Issues

    You must take a few common sense precautions when using multiple administrators.  Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:

    •   If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.

    The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.

    •   If two or more administrators try to deploy patches or bulletins to the same machine at the same time.

    The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.

    Credential Issue

    When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.

    One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.

    Recommendations:

    • Each administrator should create their own credentials and assign them to machines
    • Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.

    Virtual Inventory Consideration

    Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.

     

    Additional Information

     

    More information concerning credentials usage in Protect and possible known issues can be found in the following community documents:

     

    Shavlik Protect Encryption Q&A

    How-To troubleshoot Error 5 - Access is denied

    Change Machine Credentials on Multiple Machines at Once

    Account Lockout - Scheduler Service using Credentials

     

    Affected Products

     

    Shavlik Protect 9.x