5 Replies Latest reply on Jun 10, 2015 8:09 AM by cwinning

    Using multiple credentials

    Rookie


      What is the best way to attempt multiple credentials when deploying patches? If I have a machine group based on a subnet, but a subset of these machines might use one local administrator password, and a different subset uses a different local administrator password. I want to start a scan and deployment where Shavlik Protect will attempt multiple credentials and use the credential that is successful. From what I know, this is not possible natively within Shavlik Protect. It seems I either need to use multiple machine groups or use machine credentials. I really don't like either of these options, because I don't always know which credential will work. Is there another solution?

       

      Scott M.

        • 1. Re: Using multiple credentials
          cwinning CommunityTeam

          Hello,

           

          There isn't a specific option to allow a set of credentials to be used during scan/deployments.  Here is some information on how Protect handles credentials.

           

          For patch scans, asset scans, power management, and to executing scripts. Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

          1. If one or more of the following are available,  the credential with the highest precedence will be used. The precedence order is as follows:

                a. Machine-level credentials

                b. Group-level credentials (set in Machine Group)

                c. Integrated Authentication (Kerberos) (the credentials set as Defaults Credentials in the Credentials Manager)

           

          Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials

           

          1.   If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

          If neither of these credentials work, the scans and the power management tasks will fail.

           

          One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.


          Have you thought about installing agents on these machines?  Credentials aren't and issue once you have an agent installed and scan and deploy through the agent.


          Thanks,

          Charles

          • 2. Re: Using multiple credentials
            Rookie

            Thank you. Regarding the precedence order, I read in the article which I believe you quoted above that if the credential is defined, but doesn't work, it will not try the next credential in line. Perhaps I can describe my scenarios where I want this ability.

             

            First, we check workstations that are domain members, so we would normally use a domain administrator to access these computers. But many of these are used remotely, and don't connect to the network except by VPN for long periods of time. It happens that these computers can sometimes lose the domain trust because they have been away too long, and then the domain administrator account no longer works. But a local administrator account does work. You might suggest that I only use the local administrator account, but we have multiple local administrator account passwords, depending on who setup the machine and how long it has been around.

             

            Second, we check servers that are stand alone, and we have different local administrator account passwords depending on the platform of the machine; i.e. Windows Server 2003 or Windows 2008 Server. I don't necessarily know the platform level when initiating the scan and deploy, so I would like to try all passwords during the action. I realize there is a risk of account lockout, but that is something I can configure in policy.

            Also, I do logon to the console using the same credential as my default credential.

             

            The server example I described can be handled using multiple machine groups, but I don't have a good solution for the workstation example. Perhaps this idea is something that can be considered as a future feature.

            • 3. Re: Using multiple credentials
              cwinning CommunityTeam

              Hello,

               

              Thank you for the detailed explanation, I do see a lot of merit in what you are looking for and I agree this is worth a feature request.  I could submit the request for you, but a request directly from a customer has more weight.  Let me know.

               

              Submit A Feature Request

               

              Thanks,

              Charles

              • 4. Re: Using multiple credentials
                Rookie

                Thank you. I have submitted the new feature request: RE-2361.

                • 5. Re: Using multiple credentials
                  cwinning CommunityTeam

                  Great, I know the Product Manager looks at these frequently.

                   

                  Thank you,

                  Charles