KBI 311325 Issue Addressed: Random Failure When Running Service Rules, Performance Rules And Event Log Rules With Alternative Credential


Argent Advanced Technology 3.1A-1510-A or earlier


Wednesday, 9 December 2015


When Argent AT Engines are configured in way that, service account is a Domain User and Engine uses a Domain Admin account as alternative credential to monitor remote servers, random failures can be resulted for Service Rules, Performance Rules and Event Log Rules

Typical error log shows as following:

Could not connect to service manager of node xxxx (Credential: domain\user) with GENERIC_READ rights. Error: Access is denied

The issue has been addressed in Argent AT 3.1A-1510-T10

Technical Background

Service Rules, Performance Rules and Event Log Rules generally require local administrator privileges

Argent AT uses Credential Manager to store the alternative credential for the target server

It is possible that Credential Manager API is not solid for heavy usage

Argent AT 3.1A-1510-T10 addressed issue by impersonating the alternative credential instead of using Credential Manager API

The algorithm goes as follows:

If the alternative credential belongs to a workgroup or a domain different from the service account, Argent AT Engine will continue to use Credential Manager API

If the alternative credential belongs to the same domain as the service account, Argent AT Engine explicitly acquires primary token calling API ‘LogonUser’ then impersonates the alternative credential on the monitoring thread

If the impersonation succeeds, the monitoring thread will run under the security context of the alternative credential

If the impersonation fails for some reason, Argent AT Engine falls back to Credential Manager API to have the full backward compatibility


It is recommended that Argent AT service account is a local administrator for target servers

If service account is a member of Domain Admins, it is generally sufficient

Use alternative credential only for workgroup machines or servers in other domain

They should account for small percentage of total machines being monitored

For customer who has to use non-admin user for service account, upgrade to Argent AT 3.1A-1510-T10 or later