Purpose
This document is meant to provide a full overview of how credentials are entered, used, and work within the Shavlik Protect product.
Description
Credential Precedence for Physical Machines and Online Virtual Machines
Initiating actions from the home page, from a machine group, or from a favorite
The home page, machine groups and favorites can be used to initiate actions, patch scans, asset scans, power management, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:
- If one or more of the following are available, the credential with the highest precedence will be used. The precedence order is as follows:
a. Machine-level credentials
b. Group-level credentials
c. Integrated Authentication (Kerberos)
Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials.
- If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
If neither of these credentials work, the scans and the power management tasks will fail.
One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.
Initiating an agent installation from a machine group
When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.
Initiating actions from Machine View or Scan View
When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:
- If one or more of the following are available, the Protect console will try to authenticate using the credential with the highest precedence, where the precedence order is as follows:
Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supply Credentials for Machines (used if the scan credentials are invalid or missing, for example, if an agent performed the scan rather than the console)
- If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.
If neither of these credentials work then the action will fail.
Initiating an agent installation from Machine View or Scan View
When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.
Credential Precedence for Offline Hosted Virtual Machines
Initiating actions from the home page, from a machine group, or from a favorite
The home page, machine groups and favorites can be used to initiate patch scans, asset scans, and power management actions and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each offline hosted virtual machine using the browse credentials.
Initiating actions from Machine View or Scan View
When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the credentials that will be used to authenticate to an offline virtual machine depends on the power state of the machine when it was initially scanned.
If a machine was originally scanned in offline mode
The program will attempt to authenticate using the browse credentials.
If a machine was originally scanned in online mode
The program will attempt to authenticate using a variety of credentials and will do so using the following strategy:
- Try using any manually or automatically assigned managed machine credentials
If the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:
The administrator credential from the machine group. If the administrator credential exists but fails, the default credentials will not be tried.
Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))
- If the credentials used above do not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.
Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.
If none of these credentials work then the action will fail.
Defining Credentials
The Define Credential dialog can be accessed anywhere a credential is used within the Shavlik Protect interface (for example, from a machine group, from the Credentials Manager, etc.). It is used to specify a new user name and password pair that collectively define one credential. The credential is stored with strong encryption techniques. Only the administrator that creates the credential will be able to decrypt the credential and access it from within the program. If you elect to share the credential, however, it will be made available to other administrators as well as to Shavlik Protect service components.
Note: Credentials may be automatically defined for you during a product upgrade or when importing a machine group. Any credentials that are found during these processes are preserved and will be assigned friendly names according to their usage. The term Discovery filter is the friendly name assigned by the program to a machine group credential that it identifies during an upgrade or import process. Feel free to change the name to something that more closely reflects the usage of the credential in your organization.
Name this credential so it can be used elsewhere | Provide a friendly name for this credential that describes exactly where it should be used. |
User name | Type a user name that has access to the machine(s). When specifying the user name:
|
Password | Type the password for the user. |
Verify password | Retype the password to verify you specified it correctly. |
Share this with background tasks, agents, and other features | If enabled, this credential will be available to all Shavlik Protect administrators and can be used to specify credentials for service components within the program. The service components within Shavlik Protect that require a shared credential include the following:
Why is it necessary to share a credential? Credentials are encrypted, so you must share a credential so that the service components can decrypt and access it when needed. Example: If you select Tools > Options > Proxy and attempt to assign Service credentials, only shared credentials are available for selection. The service must have a copy of the credential in order to decrypt it. Note: It is recommended that you create a service account to perform these service functions rather than using a domain administrator account. See Potential Security Implications When Sharing Credentials for more information. |
Supplying Scan Credentials for Target Machines
Note: Browse credentials are slightly different from the scan credentials described in this section. Browse credentials are used by servers, domains, and organizational units to enumerate machines but do not actually authenticate to the individual machines.
This section provides information on how to define new scan credentials and how to assign the credentials to target machines. Credentials consist of a user name and password pair used to authenticate the program to specified target machines. One credential can be associated with any number of operations or entities. The credentials are stored with strong encryption techniques and are not available to anyone except the user who provided them.
The scan credentials you supply will be used to access remote machines, perform any scans, and push any necessary files. The supplied credentials will NOT be used to:
- Authenticate to the local (console) machine
Rather, the program uses the credentials of the currently logged on user to authenticate to resources on the local machine. Therefore, in order to perform tasks on the local machine, make sure you log on using an account that has administrator and local machine access rights.
- Perform a patch deployment
The machine credentials that you supply are used to provide access to the remote machine and to push the necessary patch deployment files. The actual deployment, however, will be run under the remote machine's Local System account.
You use a machine group to initially assign scan credentials to target machines. You can assign credentials to individual machines, to all machines in a machine group, or both. After a machine has been scanned and is contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials if desired.
Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.
Assigning Credentials to Individual Machines in a Machine Group
To assign credentials to one or more machines in a machine group, in the bottom pane select the machines and then select Credentials > Set Admin Credentials.
On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.
When credentials are applied to the selected machines, the icon in the Admin Credentials column will become active. In addition, the name of the assigned credential is displayed next to the icon.
Assigning Credentials to All Machines in a Machine Group
To assign credentials to all machines in a machine group, in the top pane select Credentials > Set Credentials.
On the Assign Credentials dialog, select from the list of available credentials or click New to define new credentials.
When credentials are assigned the icon will contain a check mark:
In addition, the button name will change to the name of the assigned credential.
Assigning Credentials to Virtual Machines
There are several different tabs that can be used to add virtual machines to a machine group. The credentials that will be used to scan and/or deploy patches to these machines depends on how the machines are defined to the group and on the current power state of each machine.
- Hosted Virtual Machines tab: Used to add virtual machines that are hosted by a server. The credentials used to scan each machine depends on the current power state of the machine.
A hosted virtual machine that is offline at the time of a scan will be accessed using the server's browse credentials. Any individual credentials supplied for the machine are ignored.
- A hosted virtual machine that is online at the time of a scan will be accessed using scan credentials for that machine. See Assigning Credentials to Individual Machines in a Machine Group, above.
- Workstation Virtual Machines tab: Used to add offline virtual machines that reside on individual workstations. You should assign individual machine credentials for each virtual machine defined using this tab. If appropriate, credentials can also be assigned at the machine group level. The credentials are used during the mounting process and provide permission for Shavlik Protect to access the virtual machine files on the workstation. See Assigning Credentials to Individual Machines in a Machine Group, above.
Machine Name tab, Domain Name tab, or IP Address/Range tab: Used to add virtual machines that reside on individual workstations and that are online at the time of a scan. See Assigning Credentials to Individual Machines in a Machine Group, above.
Assigning New Credentials to Machines After They Have Been Scanned
After one or more machines have been scanned and are contained in Shavlik Protect 's database of managed machines, you can use the Machine Properties dialog to assign different credentials or to remove credentials.
There may be several reasons for providing different credentials to machines after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.
Managing Credentials
Important! If there are two or more administrators using Shavlik Protect, each administrator should provide their own machine credentials.
The Credentials Manager is used to manage all credentials used within the program. It is also used to set the default credential for the program.
Although you can supply new credentials from several different areas of the program, all of the credentials can be edited and deleted from this single location. This greatly simplifies the credentials management process. For example, if a password that is used to authenticate a specific group of machines changes, you simply use the Credentials Manager to update the associated credential. All items assigned to that credential are automatically updated with the new password.
To manage the credentials used by the program, select Manage > Credentials.
Add | Enables you to add a new credential. |
Edit | Enables you to modify the selected credential. |
Delete | Deletes the selected credential. You can delete multiple credentials at the same time. When you delete a credential the following occurs:
Caution! Any items using the deleted credential will no longer be assigned a credential. Before you delete a credential you should browse your machine groups to verify the credential is not being used. |
Merge | Tip: This credential cleanup tool will typically be used immediately following an upgrade from an earlier version of Shavlik Protect that does not contain the Credentials Manager. Enables you to merge one or more credentials that contain the same user name and password with another credential entry that also contains the same user name and password. Or you can merge several different credentials into one new credential that is effective in all situations. By eliminating duplicate and unneeded credentials you reduce confusion and lessen the chance for human error.
The Merge Credentials dialog is displayed. For example:
Note: A shared credential can only be merged with another shared credential. Therefore, if any of the credentials in the Confirm credentials to merge list are shared, then (1) only shared credentials will be offered for selection in the Existing box, and (2) any new credential you create will automatically be defined as a shared credential.
|
View usages | Enables you to see how and where the selected credentials are being used in the program. Only those credentials that are currently being used in the program will be displayed in the Credential Usages dialog. A credential may be listed multiple times if it is used in different areas of the program. You can right-click on any list item and perform a number of different actions.
|
Set as default | Assigns the selected credential as the default credential. The program will use the default credential if other credentials are missing or invalid. |
Clear default | Removes the default credential assignment. |
User Name | Displays the user name portion of each credential. |
Name | Displays the unique name assigned to each credential. |
Shared | Displays whether the credentials are shared credentials. The information in this column is directly related to the Share this with background tasks, Agents, and other features check box on the Define Credential dialog. |
Managing Individual Machine Properties (Explicitly supplied credentials)
You can set explicit credentials for machines via View > Machines > Right Click a machine > Machine Properties.
Credential: Specifies the credential used when authenticating Shavlik Protect to the machine. The credential you supply here will override credentials specified in other areas of the program. If you select None you effectively remove the credential currently assigned to the machine.
There may be several reasons for providing different credentials to a machine after a scan has been performed. If you have multiple administrators in your organization and each is responsible for a different domain, they will need to set their own credentials before performing an action. Or, your organization's policy may be to separate scan (assessment) duties from deployment duties, in which case different credentials are probably required.
How Shavlik Protect Manages Multiple Administrators
Shavlik Protect contains a number of built-in checks to guard against simultaneous and conflicting commands from different administrators. For example:
- The program will not allow duplicate group names or template names
The program will not allow simultaneous updates to any groups, templates, distribution servers, or agent policies by different administrators. If this situation should occur the second administrator will receive a warning message similar to the following:
- Only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of that task before the program will allow the administrator to continue.
- Note: The 'Take Ownership' button is only displayed if you have two or more consoles that share one database. If your organization uses multiple Shavlik Protect consoles that share the same database, only one console will be authorized to use the Database Maintenance tool. If an administrator at another console wants to perform maintenance on the database, that administrator must take ownership of the task before the program will allow the administrator to continue. Any existing maintenance tasks will be allowed to complete before ownership is transferred to another administrator.
Best Practices When Using Multiple Administrators
Recommendations
- You should upgrade your hardware platform by increasing the number of processors and the amount of installed memory on the console machine. This will increase performance in those instances when two or more administrators are logged on at the same time and performing tasks.
Minimum suggested hardware requirements for two administrators: 2 processor cores and 4 GB RAM
For each additional administrator, add 1 processor core and 1 GB RAM
For a high performance system, use 16 processor cores and 32 GB RAM
When two administrators log on to the same console they must use different accounts. The same account can be used only when logging on to different consoles.
If you edit a group that is typically used by another administrator you should notify that person about the change.
Each administrator should create their own credentials and assign them to machines.
Each administrator should define default credentials that are the same as their logon credentials. This will eliminate problems that may occur if the administrator forgets to assign machine credentials.
Potential Issues When Using Multiple Administrators
Usage Issues
You must take a few common sense precautions when using multiple administrators. Even though Shavlik Protect contains a number of built-in safety checks, it cannot guard against all possibilities. The program may act in unpredictable ways if the following occur:
- If two administrators try to scan the same machine group or ESXi Hypervisor at the same time.
The machines will be scanned twice, causing potential performance issues. In addition, there may be administrative rights errors due to the multiple connections.
- If two or more administrators try to deploy patches or bulletins to the same machine at the same time.
The most likely result is that one deployment task will succeed and the other will fail. But because the deployment that succeeds will likely perform a restart of the target machines, the machines may be in an unknown state when the other deployment fails.
Credential Issue
When you create credentials and assign them to machines, those credentials belong to your administrator account. If a different administrator (Administrator B) logs on and uses Shavlik Protect, they will not have access to the machine credentials you provided. The second administrator must provide their own machine credentials.
One of the ways this can be confusing is if Administrator B fails to provide their own machine credentials and tries to schedule a patch deployment from a scan that was performed by Administrator A. The deployment can be successfully scheduled if default credentials are available, but the actual patch deployment will likely fail because the patch deployment requires machine credentials -- credentials that were provided by Administrator A but that are not available to Administrator B.
Recommendations:
- Each administrator should create their own credentials and assign them to machines
Each administrator should define default credentials that are the same as their logon credentials. This will eliminate some of the problems that may occur if the administrator forgets to assign machine credentials.
Virtual Inventory Consideration
Unlike machine groups (which can be viewed by all administrators), vCenter Servers and ESXi Hypervisors can only be viewed by the administrator that added them to Shavlik Protect. If two different administrators want to manage the same vCenter Server or ESXi Hypervisors, both administrators must add the item to the Virtual Inventory list.
Additional Information
More information concerning credentials usage in Protect and possible known issues can be found in the following community documents:
Shavlik Protect Encryption Q&A
How-To troubleshoot Error 5 - Access is denied
Change Machine Credentials on Multiple Machines at Once
Account Lockout - Scheduler Service using Credentials
Affected Products
Shavlik Protect 9.x