Changing the Application Identity account password

book

Article ID: 156852

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

There is a need to change the password of the Application Identity (AppID) that the Symantec Management Platform (SMP) runs under.

 

NOTE: Symantec does not recommend changing the password for the Application Identity, due to possible resulting account lockouts that will follow.  The steps below will step through the proper procedure of changing the App ID password: Swap out the App ID with a Temporary account, change App ID password, Swap App ID account back.

Resolution

Preferred method for 8.5 and prior versions
  1. Make sure that the Symantec Installation Manager is at the latest version.
  2. Create or use a separate account that matches the current App ID:
    1. An account that has the same rights/permissions as the original AppID account in Windows (If using Active Directory you can clone the original)
    2. A member of the “Symantec Administrator” role on the Symantec Management Platform (Add or clone the original account under Settings- Security- Account Management)
    3. DBO and Public access to the Symantec_cmdb database (Add the account to the SQL server under Security- Logins)
  3. Reconfigure the Application Identity (This is where you switch from the old id to the newly created one)
    1. Start> Symantec Installation Manager
    2. Select “Configure settings”
    3. Select “Configure NS Settings” and click “Next”
    4. Enter the separate account that is to be used and its password and click “Next”
    5. Click “Configure”
  4. Optional: Verify that the Altiris services are now configured to use the new account
    1. Go to Services -- Server Manager > Configuration > Services to verify the Altiris Service, Altiris File Receiver and Altiris Client Message Dispatcher. are using the new account.
    2. There are a total of eight different Altiris Services, the three above are the main services for the NS Console.
  5. Change the password of the original application identity account.  (If using Active Directory you will change the password there)
  6. Test the new password by attempting to log in to the NS with the App Identity and the new password
  7. Follow step 3 again with the desired account (To switch back to the original id with the new password)
Important: If you are using IT Analytics you will need to update the password for the Reporting Services Data Source using the steps found in KB 157464.
 
 
Alternate methods for 8.5 and prior versions: 

Method 1:  Using a Temporary Account. 

  1. Create a new temporary account for use during this password change process.
    NOTE: The temporary account needs to have equivalent security rights as the application identity account to both active directory rights and SQL.  (An existing account with these rights can be used.)
  2. In the console, navigate to: Settings > All Settings > Notification Server > Notification Server Settings.  Under the Processing tab, enter the temporary account and password in the Application Identity field.  Click the save changes. 
  3. In Active Directory, Change the permanent Application Identity password.
  4. Again navigate to: Settings > All Settings > Notification Server > Notification Server Settings.  Under the Processing tab, change the temporary account back to the permanent account and enter the new password in the Application Identity field.  Save the changes.  
  5. Manually update the credentials for any task, job, or policy that was set to use the AppID when created. (By default there are none, but it is possible to manually configure this when creating or editing the item).

 

Method 2:  IIS Session Cache/Persistence.  Only use this method if you are confident in IIS cache and session persistence not being interrupted from start to finish.  Before the AppID password has changed, and access to SMP console is still available.  If this method fails, method 3 will be required to be followed.

(If access is no longer possible, you will need to use the command line tool listed in Method 3, below.)

  • Before changing the AppID password in Active Directory (AD):
    1. Log into the SMP console with an account that is assigned to the Symantec Administrator role that is not the AppID
    2. Navigate to: Settings > All Settings > Notification Server > Notification Server Settings
    3. Leave this page open in the web browser and make the changes in AD for the AppID.
  • After the changes to AD have propagated to all Domain Controllers:
    1. Return to the SMP console and update the fields for the AppID
    2. Click "Save Changes"
    3. Click on "Restart Services"
    4. Restart IIS by running IISRESET from an administrator command prompt window.
    5. Manually update the credentials for any task, job, or policy that was set to the AppID when created. (By default there are none, but it is possible to manually set this when editing the item).

Note: You will need to manually update the WMI protocol credentials (or you will get audit failures) which can be found in the management console under Settings, All Settings, Monitoring and Alerting, Protocol Management, Connection Profiles, Manage Connection Profiles, select the Default Connection Profile, edit the profile, and go down to the WMI section. Alternatively, you can use a domain account that has local admin rights on your systems or disable the WMI section altogether if you are not using components like the power on computers if necessary feature, Network Discovery, Inventory for Network Devices (agent-less inventory), Monitor Solution, Real-Time System Manager, etc.

 

Method 3: Command line or recovery option:

Command line tool if access to the SMP console is no longer possible, or a need to script the task is needed.

The aexconfig.exe utility can be used to set the AppID and/or AppID password. (from \Notification Server\bin directory and run aexconfig /? to see additional options).
   

  1. To change the AppID setting use the /svcid switch. This switch will require a user name and password. Substitute the appropriate domain, username, and password into the syntax below and run it from an administrator command prompt. You should run it from the directory where you have installed the Symantec Management Platform. By default, this is C:\Program Files\Altiris\Notification Server\Bin.
  2. AeXConfig.exe /svcid user: password:
    Example: AeXConfig /svcid user:OurDomain\administrator password:pw.
  3. Restart IIS.
  4. Note: If the Password contains special characters, it is necessary to include the password in quotes.  password:"[email protected]". Also, avoid using the "!" charter if possible. This tool is a command line tool, and that character can be difficult for the command line to ignore even within quotes.

Also Remember: If you are using IT Analytics you will need to update the password for the Reporting Services Data Source using the steps found in KB 157464.