-
1. Re: Question: Automation Principal and Domain Controller
Bill RobinsonApr 9, 2015 6:55 AM (in response to Preston Padgett)
- Connection initiated to agent
- Exports file is checked to ensure that the incoming connection from the client is authorized
- It is validated that the Role:User is listed in users or users.local file or access allowed through exports for the user
- Login as the user cred specified in AP
- Perform action as AP
-
2. Re: Question: Automation Principal and Domain Controller
Preston Padgett Apr 9, 2015 8:49 AM (in response to Bill Robinson)At what point is the Automation Principals engaged and how does the RSCD Agent use regkey "HKLM\Software\BladeLogic\RSCD Agent\BladelogicRSCDUser" to create the domain account to provide automation on more then one Domain controller?
-
3. Re: Question: Automation Principal and Domain Controller
Bill RobinsonApr 9, 2015 8:55 AM (in response to Preston Padgett)
The AP doesn’t use the BladeLogicRSCD user account at all.
-
4. Re: Question: Automation Principal and Domain Controller
Preston Padgett Apr 9, 2015 9:03 AM (in response to Bill Robinson)Ok, So what information do i need to read to understand how Automation Principals work? I need to be able to explain how the account authtenticats to the DC Server and why accounts are being created as defined in Reg_sz.
-
5. Re: Question: Automation Principal and Domain Controller
Bill RobinsonApr 9, 2015 9:23 AM (in response to Preston Padgett)
What accounts are being created as ‘reg_sz’ and where ?
The AP uses normal windows authentication to whatever server it’s talking to. if it’s member server then it should be like you are logging into the server so it will hit the DC w/ the auth request.
-
6. Re: Question: Automation Principal and Domain Controller
Preston Padgett Apr 9, 2015 9:27 AM (in response to Bill Robinson)Look like I need to create a Support Ticket, Thanks for your help
-
7. Re: Question: Automation Principal and Domain Controller
Bill RobinsonApr 9, 2015 9:33 AM (in response to Preston Padgett)
Why ?
-
8. Re: Question: Automation Principal and Domain Controller
Preston Padgett Apr 9, 2015 9:42 AM (in response to Bill Robinson)I would like to move forward with resolving question/issue
and it would be easier for me to answer the last question in entire detailed via
support ticket. -
9. Re: Question: Automation Principal and Domain Controller
Bill RobinsonApr 9, 2015 10:25 AM (in response to Preston Padgett)
ok..
but the AP isn't creating anything or shouldn't be. for the UPM we use the BladeLogicRSCD account. when you install on a DC, that does create the account in the domain. and then all of the DCs use the same account when you run things against the agents. there's a problem w/ that - there are things that can cause the domain level account to get locked out due to failed authentication attempts. so there's a registry key ("HKLM\Software\BladeLogic\RSCD Agent\BladelogicRSCDUser") that lets you define another account name to use. so someone manually created that. and then on agent startup, the account name in that key will be created in the domain. so if you see BladeLogicRSCD_dcname, that means that someone went in and set that key and value on each of your DCs. i'm fairly certain we are not automatically setting that (we had talked about it though).
but this has nothing to do w/ the AP. so as long as UPM is still enabled on the DCs then either the account specified in that registry key, or 'BladeLogicRSCD' is going to be created in your domain when the agent starts on the DCs.