cancel
Showing results forĀ 
ShowĀ Ā onlyĀ  | Search instead forĀ 
Did you mean:Ā 

Do not allow storage of passwords

oqueck
By Level 6 Flexeran
Level 6 Flexeran

Hi,

we've installed FlexNet Manager Suite 2019 R2 in a high secure customer environment and its global policy will not allow the setting for Network access as being Do not allow storage of password and credentials for network authentication set to Disabled. In the installation guide it is stated that if it is Enabled some errors are appearing in Windows Task Scheduler but why exactly is this setting needed and is there no other workaround (except using BMC Control M) to keep FNMS up and running in such high secure customer environments ?

Thanks & best regards

Oliver

(6) Replies

The Scheduled Tasks required by the Batch Processing server must be run using the Service Account, and to create a task in the Microsoft Task Scheduler automatically, you must provide the Logon and the Password so that scheduled task will run as the Service Account.

In fact, if this policy is not Disabled, the PowerShell script that is run during the installation of FNMS will fail as it is not able to create the Scheduled Tasks.

Hi,

thanks for the reply, but is my assumption correct, that it only needs to be Disabled during installation to be able to run the PowerShell scripts and during an upgrade ? and in between the setting could be set back to Enabled ?

Thanks & best regards

Oliver

@oqueck  - The policy must always stay Disabled.  If you enable the policy, Windows will delete all of the stored password credentials, and then all of the Scheduled Tasks will stop working.

A fix for this would be for FNMS to support Group Managed Service Accounts.

I've previously raised an enhancement request for this, as case 01826878

Can I ask anyone experiencing this please get Flexera Support to add your company/customer to that case.

In the long term, this will add weight to this issue, and get it fixed sooner.

thanks,

j

 

Greetings.

I mostly work in environments where clients enable the disallowing of password storage. It's a medium STIG finding but it is often their default none-the-less.

https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-3376

 

Question: WHY is it that the scheduled tasks run as the service account in the first place? I understand the concept of the beacon service running under the context of the service account but not so much why the scheduled tasks.

 

The client is asking me to explain this and I'm not aware of the appropriate answer. Because that's just how .NET applications do it? 

 

Thanks,

Rob 

@raaron1 - Some of the Scheduled Tasks launch executables that connect to the FNMS databases and perform reading and updating of data.  These connections are made using Windows Authentication, so by having the Service Account credentials the Scheduled Tasks will have the SQL Server authentication that is needed.