Overview on How Credentials Work in Patch for Windows

Version 10

    Purpose

     

    This document provides a high level overview of how credentials work in Patch for Windows.

    There are several sections to this article, each pertaining to agentless operations in Patch for Windows.

    A more in depth explanation, as well as how Agents use credentials and helpful visuals, is available here: How Credentials Work in Patch for Windows

     

    Overview

     

    Scanning

     

    When performing operations, Patch for Windows will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

    1.   If one or more of the following are available,  the credential with the highest precedence will be used. The precedence order is as follows:
      1. Individual credential defined in Machine Properties (View > Machines, right-click to select Machine Properties)
      2. Individual credential assigned in the lower pane of Machine Group
      3. Credential assigned in top pane to Machine Group overall
      4. Credential set as default in Manage > Credentials

     

    Example: If machine-level credentials are not available but group-level credentials are available, the program will use the group-level credentials.

     

    1.   If the credential used above does not work, then Integrated Windows Authentication (CLOUC, the Currently Logged On User Credentials, of the person currently logged on to the program or account executing the task) will be used.

     

    If neither of these credentials work, the scans and the power management tasks will fail.

    One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.

     

    Deployment

     

    While scanning in Patch for Windows utilizes a failover sequence, but deployments do not.

    If no credentials are available, or they fail, the deployment fails. Deployments will not attempt to use CLOUC or default credentials. Because of this, it's possible to scan successfully, but receive an access denied error upon deployment.

    If you supply bad Individual Machine’s Lower Panel Credentials, it will fail over to CLOUC to get the machine resolution, but it will fail to copy the files over during the installation. The file copy happens in the Console Service and will use the Individual Machine’s Lower Panel Credentials.

     

    Scheduled Scans

     

    When scheduling a scan, Patch for Windows requires a "Scheduler Credential". This credential is not set in the Credentials Manager, but under Manage > Scheduled Console Tasks.

    The scan uses the credentials associated to Scheduler Credential, not your currently logged on user or default credential

    This credential is the identity Patch for Windows will assume to kick off the scan. As such, it must be a local Administrator, and it must be allowed to run scans under User Role Assignment.

    This credential needs to be set while logged in as the user specified.

          -Example: If the credential is domain\user1, then domain\user1 needs to log in to the Patch for Windows server, open the console, create the credentials, and assign them.

     

    Scheduled Deployment

     

    Scheduled Deployments will use credentials in the same manner as normal deployments.

     

    Agent Installs From the Console

     

    1. Individual credential defined in Machine Properties (View > Machines, right-click to select Machine Properties)
    2. Individual credential assigned in the lower pane of Machine Group
    3. Credential assigned in top pane to Machine Group overall
    4. Credential set as default in Manage > Credentials

     

     

    Currently Logged On Under Credentials (CLOUC) will be used if all those are not defined, and the copying of the files to the target will fail, because it is done in the Console service and it will use the credentials assigned to the machine)

     

     

    Multiple Patch for Windows Administrators

     

    When multiple users are given Administrator access to Patch for Windows, there are some considerations to take into account regarding credentials:

    • Administrators can overwrite shared credentials, which can interfere with tasks scheduled by another admin.
    • An admin who edits a credential, also takes "ownership" of the credential.

     

    Additional Information

     

    One particular part of credentials many people have issues with is Scheduled Scans. This is because scheduled scans are a scheduled console task, and require the scheduler credential to be properly set.

    Of course, people want to know why things must be set the way they are. Here's the technical background behind why:

    • When the time comes for Patch for Windows to run the scheduled scan, it's operating under the Local System account. It uses the system account to "impersonate", or act as, the scheduler credential.
    • When a user creates credentials in Patch for Windows, those credentials are encrypted in a manner that only allows the user that created the credentials to decrypt them.
    • So, if the scheduler credentials are set by a different user, when Patch for Windows tries to decrypt the scheduler credentials using the scheduler user profile, it will fail. Similarly, if the scheduler credentials have never been used to log onto the server, there will be no profile for Patch for Windows to login under.  Patch for Windows tries to find the credential associated to that different user and it will not be able to find them, because they were never entered.

     

    For more detailed information regarding credentials in Patch for Windows, please see How Credentials Work in Patch for Windows .

     

    Affected Product(s)

    Patch for Windows 9.x

    Protect 9.2