KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

service tests: Win32 error #5 with Connect as

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting
View previous topic :: View next topic  
Author Message
sebirello



Joined: 02 Nov 2016
Posts: 25

PostPosted: Tue May 23, 2017 7:00 am    Post subject: service tests: Win32 error #5 with Connect as Reply with quote

Hello,

following conditions:

- Host Monitor version: 9.90
- Installed on OS: Server 2012R2
- KS Advanced Host Monitor and KS Web Service configured to run as Local System
- In the Host Monitor Application I've configured a separate user account under service (Domain user account)

In the service tests (all Windows Server services) I have configured the local administrator account and password for the specific server with connect as.

No the problem is, that the service tests only work if my service user (configured in the host monitor application under service) is an domain admin. I don't want to give that service account domain admin rigths!

Can you tell me how to configure it right, so maybe I can use the local administrator defined in the service test with "Connect as"?
And maybe a solution, so I also can use the local system account in the hostmonitor application, instead of an separate account.

Thank you very much!
Kind Regards
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Tue May 23, 2017 7:28 am    Post subject: Reply with quote

Quote:
- KS Advanced Host Monitor and KS Web Service configured to run as Local System
- In the Host Monitor Application I've configured a separate user account under service (Domain user account)

So local system account specified in Windows Services applet?
While you use domain admin account in HostMonitor Options dialog?
This works fine on Windows Server 2003, while on Windows 2012 its better to set the other way around.

Local admin account should work. Unless UAC is enabled, in such case only build-in administrator account will work.
Note: "never notify" UAC option does not work on Windows 2012, you have to disable it in registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system, EnableLUA=0
system restart required

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
sebirello



Joined: 02 Nov 2016
Posts: 25

PostPosted: Tue May 23, 2017 8:56 am    Post subject: Reply with quote

Hi Alex,

thank you for the answers!

I am already using the build-in administrator account in the service tests.

So what happens if I am using the domain user account for the service, is the service then using the account specified in the windows service applet for connecting to the services on the servers or is it using the account specified in connect as?

So what is best practice if I want to continue running host monitor as a service and checking the server services?

Thank you!
Regards
Sebastian
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Tue May 23, 2017 11:31 am    Post subject: Reply with quote

Quote:
I am already using the build-in administrator account in the service tests

This account necessary for service itself, for hostmon.exe process.
E.g. if service started under local system account, then it does not matter what account you use for the tests, HostMonitor will not be able to connect to remote systems because process does not have necessary permissions.

Quote:
So what happens if I am using the domain user account for the service, is the service then using the account specified in the windows service applet for connecting to the services on the servers or is it using the account specified in connect as?

"Connect as" option and Connection Manager (recommended way is to use Connection Manager, its more flexible) tells HostMonitor to provide specified account when it connects to remote system using Windows API.
But in domain environment Windows may use account that launched process.

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
sebirello



Joined: 02 Nov 2016
Posts: 25

PostPosted: Tue May 23, 2017 3:15 pm    Post subject: Reply with quote

Hi Alex,

ok, so as far I can understand, Connect as or the Connection Manager doesn't work for me in the domain environment for connecting correctly to the remote servers, because it is using the account specified in the Windows service?

Is the best way now to run the Windows service as a domain account and to configure the service option in Host Monitor to run as local system? And then grant the domain account specified in the Windows Service local admin rights on the servers I am testing?

Or is it better to use the domain admin running the windows service?

Another option I guess would be to create a connection for every host in the connection manager with the local administrator and to let the host monitor application running while logged in?

What do you recommend?

Thank you!

Regards,
Sebastian
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Wed May 24, 2017 2:13 pm    Post subject: Reply with quote

Quote:
What do you recommend?

If UAC enabled, use built-in administrator account for the service (Windows Services applet).
Otherwise use local admin or domain admin for the service (Windows Services applet).
Keep "local system" account in HostMonitor Options dialog.

Quote:
ok, so as far I can understand, Connect as or the Connection Manager doesn't work for me in the domain environment for connecting correctly to the remote servers, because it is using the account specified in the Windows service?

Depends on test methods. E.g. WMI, Memory, Drive Free Space, Dominant Process tests need correct account specified in Connection Manager.
Anyway in order to use Connection Manager hostmon.exe process (service) must have permissions. E.g. if you start account under local system account, HostMonitor will not be able to use Connection Manager at all. It will be able to perform tests like SNMP Get, Traffic Monitor, Ping, TCP, but not tests like WMI, NT Event Log, Process, Service, CPU Usage

Quote:
Another option I guess would be to create a connection for every host in the connection manager with the local administrator and to let the host monitor application running while logged in?

Usually you don't need to provide account for each host.

You may provide "default" account that will be used by HostMonitor for every resource not included in the list. To do so, type * as resource name. Then you may provide name of the server/domain or type * instead of server name. In 1st case HostMonitor will send authentication information to the specified server; in 2nd case (unc=* and sever=*) HostMonitor will connect to the server that was specified as test parameter.

In addition to default and host-specific accounts, you may specify accounts based on IP address ranges (e.g. you may specify one user account for 10.10.1.5-10.10.1.55 range, another account for 10.10.1.200-10.10.1.235 range)

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
sebirello



Joined: 02 Nov 2016
Posts: 25

PostPosted: Wed May 24, 2017 2:34 pm    Post subject: Reply with quote

Hi Alex,

thank you for the answers!

So I guess the only option for me is to setup the Windows service with a domain admin account, because I want to run Host Monitor as a service and I want to check a lot of services of domain joined servers. So I don't need to setup the Connection Manager.

Is there no way to run the Windows service with an account with less privileges as domain admin rights to check services when running Host Monitor as a service?

Sorry for the many questions!

Regards,
Sebastian
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12791
Location: USA

PostPosted: Wed May 24, 2017 5:51 pm    Post subject: Reply with quote

If you need to check just services then Power User account should be enough

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Configuration, Maintenance, Troubleshooting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index