4 Replies Latest reply on Jun 5, 2017 3:09 PM by AaronWills

    Scheduler server alternate credentials - do you need any?

    AaronWills Apprentice

      Hi all, a while back when we were setting up our LDMS 9.6 core we were advised to enter all our client local admin passwords into the alternate credentials box for the Scheduler service.

      Now I'm setting up a 2017.1 box, I'm wondering if this is actually necessary.  Can we not just use our domain admin ivanti service account in the scheduler settings and not worry about the alternate creds, or should I go and re-enter all of them?

      As a side note, what are the alternate credentials actually for?

      Thanks, Aaron

        • 1. Re: Scheduler server alternate credentials - do you need any?
          phoffmann SupportEmployee

          You shouldn't - really - need them anymore these days.

           

          The Alternate credentials ONLY come into play when you're doing an agent push to a box that doesn't have an agent on it. Scheduler is essentially going from its primary credentials through the list of alternate credentials in an effort to authenticate an RPC (Remote Procedure Call) to get the agent to install. Now you really shouldn't be installing agents that way (it's unicast, slow & inefficient, etc.) but the "option is still there" because in a few (rare) situations it still *IS* the only way to get things done.

           

          However, that shouldn't be the case for most environments I hope.

           

          The scheduler's PRIMARY account is still relevant for accessing share/package locations & calculating hashes -- that one is still super important.

           

          But "by and large" alternate credentials (could've been used in a multi-domain setup for instance) shouldn't be a commonly needed thing these days.

           

          Does that help you with understanding what that feature is for & its use case?

          1 of 1 people found this helpful
          • 2. Re: Scheduler server alternate credentials - do you need any?
            AaronWills Apprentice

            That clears it right up, thanks Paul. 

            While you're mentioning it, for deploying the new agent out to the business is best practise to create a self-contained exe on the new core and push it out from the old core?

            • 3. Re: Scheduler server alternate credentials - do you need any?
              phoffmann SupportEmployee

              Yeah - I certainly  have used the Advanced Agent approach like that for quite a few successful situations -- and with the "mini" MSI only being 3 MB, you can even use a custom vulnerability on the "old Core" to detect out of date clients (I usually target LDISCN32 for a version check) which helps along.

               

              There's many ways of skinning that particular one -- but certainly in my experience, Advanced Agent with the self-contained EXE (so you don't have to content with "network dropped at the worst possible time..." issues) is certainly a great way to go .

               

              Hope that helps.

              • 4. Re: Scheduler server alternate credentials - do you need any?
                AaronWills Apprentice

                Certainly does, thanks again mate