Credential problems

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Credential problems

Post by mrw »

Hi,

I´m having problems with credentials to access the windows service list("Get service list") on a remote server. I get Access denied.
And when I check the windows security log on the target server it has failed by not using the credentials I specified in the Connection manager. It tries to use the local admin account from the hostmon server.
I have tried every possible way to enter it in the Connection Manager but nothing triggers the use of that account. Neither the hostmon server or the target server is member of a domain.

But strangely I can monitor CPU usage and e specific server without credentials..
What can be wrong here?

//Andreas..
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

Sometimes Windows API ignores specified credentials and use current user account. We spent a lot of time investigating such problems without any explanation.

What is wrong in your case we don't know yet, so lets start from begining
- HostMonitor version?
- HostMonitor is started as service or application?
- What exactly software do you use to setup Service test item? HostMonitor? Remote Control Console (RCC) running on the same system (system where HostMonitor is running)? RCC running on some other system?
- Windows on local system?
- Service Pack on local system?
- Windows on remote system?
- Service Pack on remote system system?
- May we see test settings and Connection Manager accounts?
But strangely I can monitor CPU usage and e specific server without credentials..
Yes, this is really strange. CPU Usage test requires user account with admin rights. If test works without specified user account, this means connection to remote system already established. In such case Service test should work just fine...
May be you are trying to setup Service test using RCC started on different system?

Regards
Alex
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

- Hostmon version: 9.34
- Is started as a service, using the local administrator account
- I´m using RCC that´s installed locally on the hostmonitor server
- Windows on Hostmon server: Win2008R2 Datacenter with SP1
- Windows on target server: Win2008R2 Datacenter with SP1
- Sure you can see the tests settings, just tell me how? Some kind of export? And at the moment I removed the account(in Connection Manager) for the target since all tests work, so there´s nothing to see ATM, but I can add the credentials I´d like to use.

ATM all tests work fine(though without credentials..?), except the "Get service list" function.

No, I´m setting up the tests locally on the Hostmon server. The target server is on another subnet so we have opened up ports through the firewall. and yes we tried to open EVERY port but the credentials still isn´t passed on correctly.

If I open up Run on the hostmon server and try to access the UNC path to the remote server I get the windows credentials popup, if I enter the correct credentials there I can see the shares on that server as it should.

//Andreas..
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

And at the moment I removed the account(in Connection Manager) for the target since all tests work, so there´s nothing to see ATM, but I can add the credentials I´d like to use.
Please provide correct account using Connection Manager.
Tests work at the moment because connection already established but you cannot relay on this, HostMonitor should be able to make connection when necessary.
Sure you can see the tests settings, just tell me how? Some kind of export?
You may send screen shot or configuration files to support@ks-soft.net
(HML file with tests + connlist.lst).
Also you may export test settings using menu File->Export...
I´m using RCC that´s installed locally on the hostmonitor server
ATM all tests work fine(though without credentials..?), except the "Get service list" function.
This means RCC cannot connect to remote system.

Regards
Alex
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

It works now!
Not sure why but it does.. I can see now in the target server security log that the hostmon server connect with the correct password.

The Connection Manager settings that now works is that UNC=<ipaddress_to_target>, Server or Domain=<ipaddress_to_target>, Login=administrator. And the alloweds testmethods are "Service" and "CPU Usage".

The only thing that could differ from my attempts yesterday is that I now enter the ipaddress as "Server or Domain". Nothing else worked now. I tried enterring the target server's name, localhost, "." and such. But the only thing that worked was the ipadress.
I´m not sure if I tried that or not yesterday..
Hopefully it will work from now on.
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

The only thing that could differ from my attempts yesterday is that I now enter the ipaddress as "Server or Domain". Nothing else worked now. I tried enterring the target server's name, localhost, "." and such.
"localhost" or "." definitely wrong way. You are checking remote system, you should provide remote system IP, hostname or FQDN.
Also, its better to use the same UNC parameter for Connection Manager record and for test itself. E.g. if you specify FQDN as test parameter but use hostname in Connection Manager, it will not work.

Regards
Alex
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

Ok, good to know that the test parameter should be the same in Connection Manager. That is, both ip or both fqdn.

And I only tried localhost and "." as a desperate way to see if anything worked. But nothing did yesterday..

Well, it works now, although a bit strange it didn´t yesterday.

But many thanks for your help!

//Andreas..
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

Ok, good to know that the test parameter should be the same in Connection Manager. That is, both ip or both fqdn.
There are some exceptions...

Quote from the manual
You may provide "default" account that will be used by HostMonitor for every resource not included in the list. To do so, type * as resource name. Then you may provide name of the server/domain or type * instead of server name. In 1st case HostMonitor will send authentication information to the specified server; in 2nd case (unc=* and sever=*) HostMonitor will connect to the server that was specified as test parameter.

In addition to default and host-specific accounts, you may specify accounts based on IP address ranges (e.g. you may specify one user account for 10.10.1.5-10.10.1.55 range, another account for 10.10.1.200-10.10.1.235 range)

Note: Connection Manager may use account specified for some specific IP or IP range even if you are using hostname (not IP) for the test item target. When HostMonitor tries to find account for target server, it checks records trying to find specified resource or hostname; if such resource/hostname not found, HostMonitor resolves hostname to IP address and check Connection Manager records for this IP. If account for specific IP address could not be found either, HostMonitor will try to find appropriate account within "IP range" accounts. Only when all attempts fail, HostMonitor will use "default" account.
Some restrictions apply:
- HostMonitor itself should be able to resolve hostname; it will not use Remote Monitoring Agents for this operation;
- some "hostname to IP" conversions related to UNC resources is not supported. E.g. if you setup file related test method using target resource like \\hostname\resource\folder\file and you have specified one or several accounts using IP or \\IP or IP range, this will work fine. But if you specified only one Connection Manager account using \\IP\resource path (e.g. \\192.168.1.100\C$), then HostMonitor will not use this record for connection (even if "hostname" can be resolved to "192.168.1.100" IP).
Regards
Alex
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

Hi,

I am experiencing this exact issue again. This time it´s on another server that´s on the same subnet as the hostmon server. I have set up the credentials correct since it´s required by CPU Usage for instance.

Is there any known workaround for this? If it´s some kind of windows api bug that uses cached credentials instead of those I specify, it might be solved by restarting a service or similar?

I have tried to restart both servers but that didn´t help.

//Andreas..
KS-Soft Europe
Posts: 2832
Joined: Tue May 16, 2006 4:41 am
Contact:

Post by KS-Soft Europe »

Same server OS (Win2008R2 SP1), test Status and Reply?
Do you use IP address, FQDN or hostname for test & Connection manager?
Please check if appropriate test method is selected in Connection manager.

What other test methods are performed for this remote server?
Could you additionally setup CPU Usage, Process, WMI and Performance counter test items?
What are test Status and Reply field for these test methods?
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

This server is a Win2012.
All the other tests work fine. The only problem is that I cannot get the list of all windows services on that machine, with the error Access Denied.
I use IP as Resource and Server in Connection Manager.
I have checked every test method for this connection in connection Manager.
I´m testing CPU Usage, Drive Free Space, Traffic Monitor and Service. So I can test a specific Windows Service if I set them manually, but I just can´t browse the list.
I added a Process test and that also works perfectly. I can even browse that list and get all the running processes on the remote server.
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

H'm, we retested 2 Windows 2012 systems and we cannot reproduce the problem.
If credentials specified correctly, HostMonitor and RCC can perform all tests (well HostMonitor performs tests, RCC just retrieves list of services or processes).
If something wrong with account, both HostMonitor and RCC cannot connect.
In your case HostMonitor is able to connect, RCC cannot..
What's strange this happens for service checks but not for processes? (normally Process test requires account with additional rights)
:roll:

Regards
Alex
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

Well, today it works.
Since I wrote the previous post nothing has changed on either of the servers.
I guess it must be some kind of cache, ttl or similar that either Hostmon has or the Windows API that Hostmon uses.

If there´s anything I can do to help you debug this, just let me know. I´d be glad to help.
But for now the only fix/workaround is to just wait a day or two.

Is there any difference in the way Hostmon recieves the process list compared to the service list? Are you using remote registry or wmi or something else? Perhaps the list can be retrieved using snmp?

//Andreas..
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:

Post by KS-Soft »

I guess it must be some kind of cache, ttl or similar that either Hostmon has or the Windows API that Hostmon uses.
HostMonitor does not use such cache.
Windows? I don't think this is cache related problem because process list can be retrieved but... we don't have that much information regarding Windows code.
If there´s anything I can do to help you debug this, just let me know. I´d be glad to help.
Or may be just wait for Service Pack 1 for Windows 2012? :roll:
Usually they fix a lot of problems in SP, that's why we never officially support any new Windows prior to SP1 - too many problems and not enough info.
Is there any difference in the way Hostmon recieves the process list compared to the service list? Are you using remote registry or wmi or something else?
Yes, there is difference but Process test requires the same thing that are necessary for Services test + Performance Counters.
Perhaps the list can be retrieved using snmp?
I don't think you can check how service works using SNMP (unless some specific service respond to SNMP requests).

Regards
Alex
mrw
Posts: 195
Joined: Mon Oct 08, 2012 6:11 am

Post by mrw »

Or may be just wait for Service Pack 1 for Windows 2012?
Usually they fix a lot of problems in SP, that's why we never officially support any new Windows prior to SP1 - too many problems and not enough info.
Well, this problem is exactly the same when the target server is Windows 2008R2 with latest SP, so it´s not a specific 2012 or 2008 problem.
But I would guess that the problem lies in the source(Hostmon) server. Either a "bug" in Hostmon or in the Windows OS itself.
On the target server I only see that the Hostmon server has tried to connect with the wrong credentials.
Post Reply