Landesk Agent Authentication using the CBA_Anonymous local guest account

Version 6

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.x

    In Ivanti Endpoint Manager version 2016.3 SU3 and newer, the CBA_Anonymous account is deprecated and no longer in use.  The account can be deleted from client devices and will not be recreated when installing or updating the agent beyond 2016.3 SU3.

    What is the CBA_Anonymous account, and what does it do?


    The CBA_Anonymous account is a local guest account created on any Windows computer that has a Landesk Agent.  When your LDMS Core needs to communicate with an agent, it calls the CBA_Anonymous local account on the agent computer, to perform an LDPing on the client web service.  The LDPing returns the hostname and Landesk inventory ID of the Agent computer as xml.  This information is verified to authenticate the client before executing any task.


    Will GPOs affect the CBA_Anonymous account?


    In most cases, no.  The CBA_Anonymous account is created when a connection is made to CBA.  It is recreated, with a new password, anytime the computer reboots, the service is restarted, or the session expires.  While the account name remains the same, it's GUID changes when the account is recreated.  Group policy is generally applied at startup and user login.  If a GPO is applied to the CBA_Anonymous account, the account will soon be recreated with a different GUID.  GPO's will affect the CBA_Anonymous account if they apply to all local accounts.


    One exception to this is any GPO that denies CBA_Anonymous the Logon as a Batch Job right.  CBA_Anonymous requires this right to function.

    In LDMS version 9.6 SP3 LANDesk changed the way the CBA_Anonymous account is configured.  Please see the SP3 readme for more information:


    Is CBA_Anonymous secure?


    The CBA-Anonymous account's password consists of multiple sections, generated using OpenSSL.  It is stored in RAM only, and the password is changed anytime the CBA_Anonymous account is recreated.


    How to verify if CBA_Anonymous is functioning correctly?


    If your core can communicate with the Landesk Agent, CBA_Anonymous is instrumental in this communication.  For a more specific test, follow these steps:

    • From your core open a web browser
    • Enter this url in your browser, replacing "clientIPAddress" with the actual IP address of a client computer: http://clientIPAddress:9595/allowed/ldping
    • If CBA_Anonymous is working as designed, you will see a line of XML in your browser containing the correct Hostname and Landesk inventory ID of the client computer, similar to this: 

              <?xml version="1.0" encoding="utf-8" ?><pong><name>DKV-JSMITH-DC</name><osversion><platform>WIN32_NT</platform></osversion><inventoryid>{B29AE31B-F1CB-E241-8CD2-0714EAC87C21}</inventoryid></pong>