A new Flexera Community experience is coming on November 25th. Click here for more information.
Hi,
we've installed FlexNet Manager Suite 2019 R2 in a high secure customer environment and its global policy will not allow the setting for Network access as being Do not allow storage of password and credentials for network authentication set to Disabled. In the installation guide it is stated that if it is Enabled some errors are appearing in Windows Task Scheduler but why exactly is this setting needed and is there no other workaround (except using BMC Control M) to keep FNMS up and running in such high secure customer environments ?
Thanks & best regards
Oliver
‎Mar 09, 2020 12:25 PM
The Scheduled Tasks required by the Batch Processing server must be run using the Service Account, and to create a task in the Microsoft Task Scheduler automatically, you must provide the Logon and the Password so that scheduled task will run as the Service Account.
In fact, if this policy is not Disabled, the PowerShell script that is run during the installation of FNMS will fail as it is not able to create the Scheduled Tasks.
‎Mar 09, 2020 12:29 PM
Hi,
thanks for the reply, but is my assumption correct, that it only needs to be Disabled during installation to be able to run the PowerShell scripts and during an upgrade ? and in between the setting could be set back to Enabled ?
Thanks & best regards
Oliver
‎Mar 09, 2020 02:00 PM
@oqueck - The policy must always stay Disabled. If you enable the policy, Windows will delete all of the stored password credentials, and then all of the Scheduled Tasks will stop working.
‎Mar 09, 2020 03:24 PM
A fix for this would be for FNMS to support Group Managed Service Accounts.
I've previously raised an enhancement request for this, as case 01826878
Can I ask anyone experiencing this please get Flexera Support to add your company/customer to that case.
In the long term, this will add weight to this issue, and get it fixed sooner.
thanks,
j
‎Mar 10, 2020 06:59 PM
Greetings.
I mostly work in environments where clients enable the disallowing of password storage. It's a medium STIG finding but it is often their default none-the-less.
https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-3376
Question: WHY is it that the scheduled tasks run as the service account in the first place? I understand the concept of the beacon service running under the context of the service account but not so much why the scheduled tasks.
The client is asking me to explain this and I'm not aware of the appropriate answer. Because that's just how .NET applications do it?
Thanks,
Rob
‎Mar 25, 2020 02:15 PM
@raaron1 - Some of the Scheduled Tasks launch executables that connect to the FNMS databases and perform reading and updating of data. These connections are made using Windows Authentication, so by having the Service Account credentials the Scheduled Tasks will have the SQL Server authentication that is needed.
‎Mar 25, 2020 02:39 PM