11 Replies Latest reply on Feb 10, 2016 11:22 PM by wyld

    Client Access Account

    duberyy_wotsit Apprentice
      Hi,

      I am trying to keep all service accounts set with least privilege.  What permissions does the Client Access account actually need on the endpoints?  I do not need it to install the CCA as this will be performed by SCCM so I was hoping that it would not need to be a local administrator.

      Thanks
        • 1. Re: Client Access Account
          Landon Winburn Expert
          Unfortunately it needs admin rights as it copies exe's to the admin$ share of the machine to execute the poll now.
          • 2. Re: Client Access Account
            duberyy_wotsit Apprentice
            Thanks, what permissions does the account require on the management server?  I have a Client Access Account configured which has admin rights on all workstations but when I attempt a Poll Now I am presented with an access denied error on opening the AppSense Deployment Service on the management server...
            • 3. Re: Client Access Account
              Landon Winburn Expert
              It shouldn't need any permissions on the server.

              If you open the SCU does it show any variances? Can you go to the client access log in the AMC for the machine you polled and copy the output to the clipboard and paste it here?
              • 4. Re: Client Access Account
                Landon Winburn Expert
                Also if you have two or more servers make sure the SCU is clean on all of them.
                • 5. Re: Client Access Account
                  duberyy_wotsit Apprentice
                  0 Variances on both the Management Servers (load balanced).  The client access log does not show anything for a failed poll.  Nothing is set in the Management Server -> Encryption section, should it be when load balancing?
                  • 6. Re: Client Access Account
                    Landon Winburn Expert
                    Encryption in the SCU should show no variances. At some point you should have done a "Store" in the SCU and a "Retrieve" on the second SCU to sync the decryption keys. If that all checks out then you may need to run a SQL script to clear the deployment instructions.

                    delete from dbo.deploymentinstructions 
                    where MachineFK like '%'
                    
                    • 7. Re: Client Access Account
                      duberyy_wotsit Apprentice
                      screenshot of error attached...
                      • 8. Re: Client Access Account
                        duberyy_wotsit Apprentice

                        Landon wrote:

                         

                        Encryption in the SCU should show no variances. At some point you should have done a "Store" in the SCU and a "Retrieve" on the second SCU to sync the decryption keys. If that all checks out then you may need to run a SQL script to clear the deployment instructions.

                        delete from dbo.deploymentinstructions 
                        where MachineFK like '%'
                        


                        There are only 5 rows in that table which date back to a time before the MC was load balanced and before we were using a service account for client access credentials.  That said I tried adding my own credentials (which has permissions on everything - clients/servers etc) and that doesn't work either with the same account.  It actually looks like it doesn't actually know where to connect to, as you can see in the error message above the computer name just shows as '.' when it is trying to reach the server.  Everything else in the console works as expected...
                        • 9. Re: Client Access Account
                          duberyy_wotsit Apprentice
                          Still getting nowhere with this.  What is the flow when Poll Now is clicked?  My expectation is that the console connects to the deployment service on the Management server and the poll is done by that server.  Can anyone explain?  This would help with troubleshooting.
                          • 10. Re: Client Access Account
                            duberyy_wotsit Apprentice
                            Figured this out!  Somehow the service permissions had been stripped, so just a case of running..

                            sc sdset "AppSense Deployment Service" D:(A;;LCLO;;;<SERVICE ACCOUNT SID>)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

                            on all the management servers, back in business!
                            • 11. Re: Client Access Account
                              wyld Rookie
                              We had this exact problem after upgrading to 8.6 SP2, we have a F5 load balancer in front of our management servers so had used a custom user account in the IIS application pool configuration.  On the permissions of the Appsense Deployment Service the following is set: A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;BA   the BA at the end means that built in admin accounts can access the service.

                              As a result we were able to just add the custom account to the local admin group, restarted the host and the Poll Now function started working again.

                              I'm assuming part of the upgrade must have re-created the Depoyment Service and removed our previously hard coded permissions for our custom account.