Version

Argent Advanced Technology 3.1A-1510-A or earlier

Date

Wednesday, 9 December 2015

Summary

When Argent AT Engines are configured in way that, service account is a Domain User and Engine uses a Domain Admin account as alternative credential to monitor remote servers, random failures can be resulted for Service Rules, Performance Rules and Event Log Rules

Typical error log shows as following:

Could not connect to service manager of node xxxx (Credential: domain\user) with GENERIC_READ rights. Error: Access is denied

The issue has been addressed in Argent AT 3.1A-1510-T10

Technical Background

Service Rules, Performance Rules and Event Log Rules generally require local administrator privileges

Argent AT uses Credential Manager to store the alternative credential for the target server

It is possible that Credential Manager API is not solid for heavy usage

Argent AT 3.1A-1510-T10 addressed issue by impersonating the alternative credential instead of using Credential Manager API

The algorithm goes as follows:

If the alternative credential belongs to a workgroup or a domain different from the service account, Argent AT Engine will continue to use Credential Manager API

If the alternative credential belongs to the same domain as the service account, Argent AT Engine explicitly acquires primary token calling API ‘LogonUser’ then impersonates the alternative credential on the monitoring thread

If the impersonation succeeds, the monitoring thread will run under the security context of the alternative credential

If the impersonation fails for some reason, Argent AT Engine falls back to Credential Manager API to have the full backward compatibility

Resolution

For customer who has to use non-admin user for service account, upgrade to Argent AT 3.1A-1510-T10 or later