What is the cba_anonymous account? / How does LANDESK manage client access? / Is there a way to remove the cba_anonymous account after an install and a log off? / Can I disable the cba_anonymous account?

Version 15

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    The cba_anonymous account is created by ServiceHost.exe which is run under the the LANDESK Management Agent (CBA) service whenever an anonymous connection is requested.  It is created as a member of the local machines Guest group.


    **In the 2016.3 SU3 and 2017.1 release, CBA_anonymous has changed and no longer creates a cba_anonymous account. We have started using local account and GPO/permissions are no longer needed. The account can be deleted and will not be added when the new agent is installed.**


    Q.  How does LANDESK manage client access?

    A.  When a connection is made to CBA, the account will be created to provide the connection with guest account rights. You can manually make this request on the client by opening a web browser, then hitting url http://localhost:9595/allowed/ldping.


    Q.  Who creates the password and where does it get stored?

    A.  The password used by the account is randomly generated and stored securely in memory only. The generated password consists of multiple random generated sections using OpenSSL to meet even the most stringent password complexity requirements. Since the password is stored ONLY in memory it will be regenerated on reboot, service restart(then additional request), or if the current session has expired.  The password will include at least the following: Upper Case, Lower Case, Number, Special character, and a length of at least 28 characters.


    Q.  Is there a way to remove the cba_annoymous account after an install and a log off?

    A. The account is used with a randomly generated password for CBA communication.  If the account is removed it will be recreated when needed by ServiceHost.exe.


    Q.  Is this account created on all Windows Operating Systems?

    A.  All Windows NT based Operating Systems use this account.


    Q.  Is this account created as a domain account?

    A.   No. cba_anonymous is a local account.  The only time it will appear as a domain account is if the LANDESK agent is installed on a Domain Controller. Currently this is a supported configuration and should work. If you're having problems getting it to install, please open a case with support.


    Q. Can I disable the cba_anonymous account?

    A. No.  The LANDESK core server calls cba_anonymous to do an LDping function on the client web service to verify the client prior to executing any functions on the remote agent. The LDping returns the host name and LANDESK Device ID. These are verified prior to the execution of a task on a managed node by the core server using the cba_anonymous account. Without this information, you will not be able to manage any machines as they will appear to be “off” since they can’t be discovered.