Common Credentials used for ITMS
search cancel

Common Credentials used for ITMS

book

Article ID: 181041

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

As a new environment is been setup for usage for the SMP (Symantec Management Platform) server and SMA (Symantec Management Agent), there are some questions about what type of credentials are usually needed. 

Environment

ITMS 8.7.x and 8.8

Resolution

SIM Credential – This is the user used to run the Symantec Installation Manager (SIM). This user must be a member of the Administrators group. Either a local or domain administrator will work.

App Identity (AppID) Credential (also referenced as Service Account)– This is the user context the console and several other ITMS process run under by default. It is highly recommended that a service account be created for the App Identity credential. The App Identity credential as well as the Classic .NET and DefaultAppPool need to have the “Log On As” A Service right. 

The AppID that you define requires the following permissions:

  • Local administrator permissions on Notification Server and any remote Windows computers to which you want to install the Symantec Management Agent.

  • Permission to act as part of the operating system and log on as a batch job and a service.

  • Permission to log on to the SQL server.If the user ID does not have this permission, you can specify a different user name and password to log on to the CMDB.

  • Permission to connect to any SQL server to which Notification Server may attach. For example, an SMS database for Web Administrator for SMS or Lease database for Contract Management Solution.

A common question about the AppID account is "why the Application Identity (AppID) account must be a Windows user with local administrator rights on the notification server (Symantec Management Platform)", what we could mention about is:

Why it must be a Windows account

SMP is an IIS web application plus platform services that run in a Windows logon context. IIS worker processes, COM+/DCOM components, scheduled tasks, and services all execute as a Windows identity; the console and several SMP processes run under the AppID by default. So the identity has to be a Windows user, not just a SQL login or abstract credential.

Why it needs local admin on the NS

Local admin is required because the AppID has to touch a lot of privileged surfaces on the Notification Server. If it isn’t local admin, you’d have to manually grant a long list of granular permissions that Broadcom historically calls out (registry, DCOM, IIS metabase, COM+ AeXNS package) and that is brittle and unsupported.

Bottom line: 
SMP is a Windows/IIS application that runs its server-side work as the AppID. Making that identity a "Windows account with local Administrator rights on the Notification Server" is the supported way to ensure it can operate IIS, COM/DCOM, services, registry, filesystem, and database connectivity without fragile ACL workarounds.

     

Agent Connectivity Credential – This credential is used to download packages over UNC.  By default is the same as the App Identity. However this can be setup as a separate credential.

Package Access Credential – This credential is used by the Notification Server to access packages that are not on the local file system. By default is the same as the App Identity. However this can be setup as a separate credential.

Database Access Credential – This credential is used to access and modify the database and requires db_owner rights to the Symantec_CMDB.

There are two good ways to approach preparing for database setup.  

1.     Create an empty NS database before running SIM. (More secure)

a.     The SQL administrator creates an empty NS database and then adds the Database Access Credential to the db_owner role.

b.     This allows the SQL administrator to limit the abilities of the Database Access Credential to just the NS database.

2.     The SQL administrator adds the Database Access Credential to the dbcreator role on the SQL server.

a.     This allows the administrator installing SIM to provide the database name at install time.

Sometimes, you are required to assign the Symantec Administrator role to the Local Administrator user on the computer where you installed the IT Management Suite (ITMS) solutions. This step is required for performing additional tasks in your ITMS environment, such as, upgrading to the latest version of ITMS. You use the Symantec Management Console to grant the Symantec Administrator role to a local administrator user account on the computer where the ITMS solutions are installed.

To grant the Symantec Administrator role to a local administrator user account:
1.       Log on to the computer where you installed the IT Management Suite solutions as an administrator.
2.       Click Start > Control Panel > User Accounts > User Accounts > Manage User Accounts.
Alternatively, click Start, in the Search field, type netplwiz to open the User Accounts dialog box. 
3.       Ensure that the user account that you used to log on to the computer belongs to the Administrators group.
Note: If the user account does not belong to the Administrators group, in the User Accounts dialog box, select your user account and then click Properties. Click the Group Membership tab and then select Administrators group. Click Apply and then OK to save the changes. You might be prompted to log off and log on again for the changes to take effect.
4.       Launch the Symantec Management Console.
5.       Click Settings > Security > Account Management. The Accounts page is displayed that lists the list of ITMS user accounts.
6.       Select the local administrator account from the list of ITMS user accounts.
Note: If the local administrator user account is not displayed in the list, you are required to add the user account to the ITMS user account. To create a new account for the local administrator, click Add. In the New Account dialog box that appears, type the new ITMS account name, and then click OK. In the right pane, click the General tab and then specify the general account details. These include the full name and email address of the user for whom the account is created, the account status, and the account credentials.
7.       In the right pane, click the Member of tab. A list of security roles to which the account belongs is displayed.
8.       Click Add Role.
9.       In the Select Roles page, browse and select the Symantec Administrators role.
10.    Click OK.



You could also check the following KBs for further references:

“What are the minimum rights requirements that SIM 7 looks for during an installation?” (179939)

"What SQL rights are needed for the application identity?" (181352)

Additional Information

Powered by Wolken Software