KBI 311325 Issue Addressed: Random Failure When Running Service Rules, Performance Rules And Event Log Rules With Alternative Credential
Version
Argent Advanced Technology 3.1A-1510-A or earlier
Date
Wednesday, 9 December 2015
Summary
When Argent AT Engines are configured in way that, service account is a Domain User and Engine uses a Domain Admin account as alternative credential to monitor remote servers, random failures can be resulted for Service Rules, Performance Rules and Event Log Rules
Typical error log shows as following:
Could not connect to service manager of node xxxx (Credential: domain\user) with GENERIC_READ rights. Error: Access is denied
The issue has been addressed in Argent AT 3.1A-1510-T10
Technical Background
Service Rules, Performance Rules and Event Log Rules generally require local administrator privileges
Argent AT uses Credential Manager to store the alternative credential for the target server
It is possible that Credential Manager API is not solid for heavy usage
Argent AT 3.1A-1510-T10 addressed issue by impersonating the alternative credential instead of using Credential Manager API
The algorithm goes as follows:
If the alternative credential belongs to a workgroup or a domain different from the service account, Argent AT Engine will continue to use Credential Manager API
If the alternative credential belongs to the same domain as the service account, Argent AT Engine explicitly acquires primary token calling API ‘LogonUser’ then impersonates the alternative credential on the monitoring thread
If the impersonation succeeds, the monitoring thread will run under the security context of the alternative credential
If the impersonation fails for some reason, Argent AT Engine falls back to Credential Manager API to have the full backward compatibility
Resolution
It is recommended that Argent AT service account is a local administrator for target servers
If service account is a member of Domain Admins, it is generally sufficient
Use alternative credential only for workgroup machines or servers in other domain
They should account for small percentage of total machines being monitored
For customer who has to use non-admin user for service account, upgrade to Argent AT 3.1A-1510-T10 or later