Changing the Application Identity account password
search cancel

Changing the Application Identity account password

book

Article ID: 156852

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite Server Management Suite

Issue/Introduction

There is a need to change the password of the Application Identity (AppID) that the Symantec Management Platform (SMP) runs under.

NOTE: Symantec does not recommend changing the password for the Application Identity due to possible account lockouts that will likely follow.  The steps below outline the proper procedure for changing the App ID password: Swap out the App ID with a Temporary account, change the AppID password, and Swap the AppID account back.

Environment

ITMS 8.x

Resolution

Preferred method:

    1. Make sure that the Symantec Installation Manager is at the latest version.  If not, upgrade it.
    2. Create or use a separate account:
      1. Give the new account (ID) the same rights/permissions as the original AppID account in Windows (If using Active Directory you can clone the original)
      2. Make the new account a member of the “Symantec Administrator” role on the Symantec Management Platform (Add or clone the original account under Settings- Security- Account Management)
      3. Add the new account to the SQL server under Security- Logins and give it DBO and Public access to the Symantec_CMDB database.
    3. Reconfigure the Application Identity (This is where you switch from the old account to the newly created account)
      1. Open up Symantec Installation Manager and select “Configure settings” > “Configure NS Settings” and click “Next”
      2. Enter the new account and its password and click “Next”
      3. Click “Configure”
    4. Optional: Verify that the Altiris services are now configured to use the new account
      1. Go to Services -- Server Manager > Configuration > Services and verify the Altiris Service, Altiris File Receiver, and Altiris Client Message Dispatcher are using the new account.
      2. There are a total of eight different Altiris Services, the three mentioned in step 1 are the main services for the NS Console.
    5. Change the password of the original application identity account.  (If using Active Directory you will change the password there)
    6. Test the new password by attempting to log in to the NS with the App Identity and the new password
    7. Follow step 3 again with the desired account (To switch back to the original account with the new password)
Important: If you are using IT Analytics you will need to update the password for the Reporting Services Data Source using the steps found in the following KB: Change stored credentials on IT Analytics Reporting Server Configuration
 

NOTE: Do NOT change the name of the current App ID account in Active Directory while it is being used as the App ID.

Alternate method: 

Method 1:  Using a Temporary Account. 

  1. Create a new temporary account for use during this password change process.
    NOTE: The temporary account needs to have equivalent security rights as the application identity account to both active directory rights and SQL.  (An existing account with these rights can be used.)
  2. Pre-ITMS 8.5:
    In the console, navigate to: Settings > All Settings > Notification Server > Notification Server Settings.  Under the Processing tab, enter the temporary account and password in the Application Identity field.  Click the save changes. 
    Post-ITMS 8.5:
    1. Make sure that the Symantec Installation Manager is at the latest version.
    2. Reconfigure the Application Identity (This is where you switch from the old id to the newly created one)
      1. Start> Symantec Installation Manager
      2. Select “Configure settings”
      3. Select “Configure NS Settings” and click “Next”
      4. Enter the separate account that is to be used and its password and click “Next”
      5. Click “Configure”
  3. In Active Directory, Change the permanent Application Identity password.
  4. Again navigate to:
    Pre-ITMS 8.5:
    Settings > All Settings > Notification Server > Notification Server Settings.  Under the Processing tab, change the temporary account back to the permanent account and enter the new password in the Application Identity field.  Save the changes.  
    Post-ITMS 8.5
    1. Start> Symantec Installation Manager
    2. Select “Configure settings”
    3. Select “Configure NS Settings” and click “Next”
    4. Enter the separate account that is to be used and its password and click “Next”
    5. Click “Configure”
  5. Manually update the credentials for any task, job, or policy that was set to use the AppID when created.  The following KB may also be helpful: Determine if a task or policy is being run under a specified user account
    NOTE: Later versions of ITMS added new reports to find a Job or Task has been configured to use custom credentials, such as App ID, and these reports are under Reports > Notification Server Management > Server > Account Management

 

 

Additional Information

While the above options are recommended, these option can be used.  They were more common Pre-ITMS 8.5:

Method A:  IIS Session Cache/Persistence.  

NOTE: Only use this method if you are confident in IIS cache and session persistence not being interrupted from start to finish.  Before the AppID password has changed, and access to SMP console is still available.  If this method fails, Method B will be required to be followed.

(If access is no longer possible, you will need to use the command line tool listed in Method B, below.)

  • Before changing the AppID password in Active Directory (AD):
    1. Log into the SMP console with an account that is assigned to the Symantec Administrator role that is not the AppID
    2. Navigate to: Settings > All Settings > Notification Server > Notification Server Settings
      • If you can't click on the service account shown in blue under the Application Identity section, open the Symantec Installation Manager > Configure Settings > Configure NS Settings
    3. Leave this page open in the web browser and make the changes in AD for the AppID.
  • After the changes to AD have propagated to all Domain Controllers:
    1. Return to the SMP console and update the fields for the AppID 
      • As mentioned in step 2, if you can't change the AppID there, put the new password in 'Symantec Installation Manager > Configure Settings > Configure NS Settings', Press Next > Finish
      • In this case, the services will also restart automatically so you can jump to step 5.
    2. Click "Save Changes"
    3. Click on "Restart Services"
    4. Restart IIS by running IISRESET from an administrator command prompt window.
    5. Manually update the credentials for any task, job, or policy that was set to the AppID when created. (By default there are none, but it is possible to manually set this when editing the item).

Note: You will need to manually update the WMI protocol credentials (or you will get audit failures) which can be found in the management console under Settings, All Settings, Monitoring and Alerting, Protocol Management, Connection Profiles, Manage Connection Profiles, select the Default Connection Profile, edit the profile, and go down to the WMI section. Alternatively, you can use a domain account that has local admin rights on your systems or disable the WMI section altogether if you are not using components like the power on computers if necessary feature, Network Discovery, Inventory for Network Devices (agent-less inventory), Monitor Solution, Real-Time System Manager, etc.

Method B: Command line or recovery option:

Command line tool if access to the SMP console is no longer possible, or a need to script the task is needed.

The aexconfig.exe utility can be used to set the AppID and/or AppID password. (from \Notification Server\bin directory and run aexconfig /? to see additional options).

  1. To change the AppID setting use the /svcid switch. This switch will require a username and password. Substitute the appropriate domain, username, and password into the syntax below and run it from an administrator command prompt. You should run it from the directory where you have installed the Symantec Management Platform. By default, this is C:\Program Files\Altiris\Notification Server\Bin.
  2. AeXConfig.exe /svcid user: password:
    Example: AeXConfig /svcid user: OurDomain\administrator password:pw.
  3. Restart IIS.
  4. Note: If the Password contains special characters, it is necessary to include the password in quotes.  password:"p@ssw0rd". Also, avoid using the "!" character if possible. This tool is a command line tool, and that character can be difficult for the command line to ignore even within quotes.

Also Remember: If you are using IT Analytics you will need to update the password for the Reporting Services Data Source using the steps found in the following KB article: Change stored credentials on IT Analytics Reporting Server Configuration 

 

Powered by Wolken Software