Hi,
I am in the process of eliminating one RMA agent so I´m transferring all tests on 4 target servers to use another RMA agent on another subnet and domain. All traffic is permitted between those subnets.
To do this I set up a connection in Connection Manager for the entire target subnet and the user is that domains administrator.
Two of the servers are running 2008R2 and all tests work fine. those tests include "CPU Usage", "Drive Space", "Memory(using WMI)" and ping and lots of SNMP checks.
The other two servers are running 2012 and all tests work EXCEPT "Drive Space", "Memory(using WMI)".
When I check the security log on those target servers I can see that it gets access denied when trying those tests. It tries to use an account on the domain that the RMA agent resides in and not those I specified in Connection Manager. Why?
I have restarted both the RMA server and the 2 2012 servers, I have waited 2 days just in case there´s some cache that will timeout.
I also have tried another RMA agent on another server, also in a different domain/subnet and it´s the exact same issue. The tests on the 2008R2 work but not the ones on the Win2012.
I have verified that all RMAs are allowed to use WMI. I have allowed everything..
Nothing has worked. If I simply switch back to the old RMA agent the work immediately.
Could there be some security issues with WMI access that has changed with 2012? Perhaps it only allows access from it´s own subnet?
Please advise.
//Andreas..
Credential problems on Win2012
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
It's not clear where (OS) is installed RMA and what is target system.
Both are Windows Server 2012?
If all other test items are working well, it looks like DCOM security issue.
Please check if DCOM remote access permissions and DCOM remote launch and activation permissions are enabled for user accounts used for WMI tests.
These option can be accessed using DCOMCNFG -> Component Services -> Computers -> My Computer -> Properties (of My Computer) -> "COM Security" tab: Access permissions->Edit Limits and Launch and Activation Permissions->Edit Limits.
Please check for details in the following MS article:
http://msdn.microsoft.com/en-us/library ... s.85).aspx
Both are Windows Server 2012?
If all other test items are working well, it looks like DCOM security issue.
Please check if DCOM remote access permissions and DCOM remote launch and activation permissions are enabled for user accounts used for WMI tests.
These option can be accessed using DCOMCNFG -> Component Services -> Computers -> My Computer -> Properties (of My Computer) -> "COM Security" tab: Access permissions->Edit Limits and Launch and Activation Permissions->Edit Limits.
Please check for details in the following MS article:
http://msdn.microsoft.com/en-us/library ... s.85).aspx
The server where the RMA is installed is a Win2008R2(Core) and the target systems that I can´t get these tests to work are both Win2012. The Hostmon server itself is a Win2008R2.
I checked the COM security properties on both target servers and chose to allow "everyone" all access permissions. Some were not set but are now. But it didn´t help.
But since I still see in the target servers security log that the RMA server is trying to connect with the wrong credentials. If it just used the correct account I´m guessing that the tests would work.
I checked the COM security properties on both target servers and chose to allow "everyone" all access permissions. Some were not set but are now. But it didn´t help.
But since I still see in the target servers security log that the RMA server is trying to connect with the wrong credentials. If it just used the correct account I´m guessing that the tests would work.
HostMonitor version?
RMA version?
"old RMA" version?
How exactly target server specified in Test Properties dialog? IP? hostname? FQDN?
How exactly accounts specified in Connection Manager dialog? IP range? Could you sent connlist.lst to support@ks-soft.net?
May be you are using IP range (or IP address) for Connection Manager record and you are using hostname or FQDN for test itself and HostMonitor/RMA cannot resolve hostname to IP for some reason so it cannot find correct account and uses default account...
Try to setup record for specific target server using the same hostname you are using for the test.
Regards
Alex
RMA version?
"old RMA" version?
How exactly target server specified in Test Properties dialog? IP? hostname? FQDN?
How exactly accounts specified in Connection Manager dialog? IP range? Could you sent connlist.lst to support@ks-soft.net?
May be you are using IP range (or IP address) for Connection Manager record and you are using hostname or FQDN for test itself and HostMonitor/RMA cannot resolve hostname to IP for some reason so it cannot find correct account and uses default account...
Try to setup record for specific target server using the same hostname you are using for the test.
Regards
Alex
Hostmon: 9.50
RMA: 4.60
Old RMA: 4.60
In the tests the servers are specified using ipadress. That´t how I do ALL my tests. some with \\ infront like for CPU. I never use hostname or fqdn.
I´m not comfortable sending you that file since I assume it contains all my passwords?
But I can do a screendump and email it. This particular server is the x.130.
I also tried to set that whole subnet but that didn´t change anything so I have all servers in that subnet as separate resources.
And just for test I tried replacing a test with a hostname and redoing that connection resource ti fqdn. The RMA server can resolve fqdn so that should work to. But it´t still the exact same problem.
RMA: 4.60
Old RMA: 4.60
In the tests the servers are specified using ipadress. That´t how I do ALL my tests. some with \\ infront like for CPU. I never use hostname or fqdn.
I´m not comfortable sending you that file since I assume it contains all my passwords?
But I can do a screendump and email it. This particular server is the x.130.
I also tried to set that whole subnet but that didn´t change anything so I have all servers in that subnet as separate resources.
And just for test I tried replacing a test with a hostname and redoing that connection resource ti fqdn. The RMA server can resolve fqdn so that should work to. But it´t still the exact same problem.
We checked our code yesterday, everything looks fine.
May be there is some mistake in the file but we cannot check this using screen shot.
Yes, there are passwords in the file (if you have time, you can make copy of the file, replace all passwords with some string, e.g. "123", send file to us, stop HostMonitor, restore file from copy, start HosMonitor).
Another possible test:
Do you have Windows 2008 (Windowx XP, Windows 2003) server in the same subnet? If RMA installed on Windows 2008/2003 uses correct account information and test works, but it does not work on Windows 2012 (the same subnet) and RMA uses wrong account, then it must be some Windows bug because RMA get account information from one source (HostMonior)
That's why offilially we never support any new Windows before SP1 - not enough information about new bugs...
BTW Windows 2008/7/20012 has bug in Event Log API, it does not work well with multithreaded applications. And it looks like problem appears more often when you use Windows 2012.
Regards
Alex
May be there is some mistake in the file but we cannot check this using screen shot.
Yes, there are passwords in the file (if you have time, you can make copy of the file, replace all passwords with some string, e.g. "123", send file to us, stop HostMonitor, restore file from copy, start HosMonitor).
Another possible test:
Do you have Windows 2008 (Windowx XP, Windows 2003) server in the same subnet? If RMA installed on Windows 2008/2003 uses correct account information and test works, but it does not work on Windows 2012 (the same subnet) and RMA uses wrong account, then it must be some Windows bug because RMA get account information from one source (HostMonior)
That's why offilially we never support any new Windows before SP1 - not enough information about new bugs...
BTW Windows 2008/7/20012 has bug in Event Log API, it does not work well with multithreaded applications. And it looks like problem appears more often when you use Windows 2012.
Regards
Alex
Well, the RMA is installed on a 2008R2 now on the server in a different subnet from the targets. And all the tests that RMA does works on 2008R2 targets
The old RMA in the same subnet is also on a 2008R2.
And the RMA gets the correct account information from hostmon since it uses those credentials for the other servers. If I change anything else the tests stop working.
But is there a log of this on the RMA perhaps? That states if it gets the correct account information from hostmon when it will do the tests? Or a log on the RMA that states which account it uses for a test? Just to be sure to know what the RMA does?
The old RMA in the same subnet is also on a 2008R2.
And the RMA gets the correct account information from hostmon since it uses those credentials for the other servers. If I change anything else the tests stop working.
But is there a log of this on the RMA perhaps? That states if it gets the correct account information from hostmon when it will do the tests? Or a log on the RMA that states which account it uses for a test? Just to be sure to know what the RMA does?
Got this reply on my email:
;--
Could you try the following:
1. try to specify <target server ip> as "Server or Domain" option in Connection manager
2. try to specify * as "Server or Domain" option in Connection manager
;--
And it worked!
I changed the "Server or Domain" to * and changed the user to customers.local\administrator, and everything worked as it should!
Not that the solution itself was very logical, but it worked for me!
Thank you very much!
//Andreas..
;--
Could you try the following:
1. try to specify <target server ip> as "Server or Domain" option in Connection manager
2. try to specify * as "Server or Domain" option in Connection manager
;--
And it worked!
I changed the "Server or Domain" to * and changed the user to customers.local\administrator, and everything worked as it should!
Not that the solution itself was very logical, but it worked for me!
Thank you very much!
//Andreas..