Highlighted
abspyr
1 Copper

Support Assist Enterprise with Managed Service accounts

We have started using Dell Support Assist Enterprise for our infrastructure.

For some devices windows domain credentials must be used in order to connect to the (other) managed servers openmanage instance in order to collect data.

Instead of using a typical domain account (with username / password) we would like to use Windows Managed service accounts

(https://blogs.technet.microsoft.com/askds/2009/09/10/managed-service-accounts-understanding-implemen...),

so the Dell Assist will connect to the managed servers with this type of account.

I configured such an account with success. I also added it on the Domain Admins group and also to the Local Administrator group (on each server).

I configured the Support Assist to connect to the managed servers with domain credentials:

username:  DOMAINNAME\service_account$

password: [none, empty]

as this is the way managed service accounts should be configured, but it does not work (wrong credentials).

Is is possible to use managed service accounts with Support assist? If yes, how we configure them?

 

Thank you.

 

0 Kudos
4 Replies
Community Manager
Community Manager

Re: Support Assist Enterprise with Managed Service accounts

Hi abspyr,

very interesting question Smiley Happy

Well for me, I can't tell you, but I already asked the L3s on this and here we go with the next steps.

1st task: Q: Is there any specific reason that you created a domain service account with an empty password? 

2nd task: Get me the application log with debug information. Instructions as follows:

  1. Open log4j2.xml file from location C:\Program Files\Dell\SupportAssist\config

  2. Modify as highlighted below:
    <configuration status="debug">
    <logger name="com.dell" level="debug" additivity="false">
        <appender-ref ref="console" />
        <appender-ref ref="log.file" />
    </logger>
    <logger name="Activityfile" level="debug" additivity="false">
        <appender-ref ref="Activitylog" />
    </logger>
    <root level="info">
        <appender-ref ref="console" level="debug" />
        <appender-ref ref="log.file" level="debug" />
        <appender-ref ref="RestActivitylog" level="info"/>
    </root>
    <logger name="org.apache.cxf" level="debug" additivity="false">
        <appender-ref ref="console"/>
        <appender-ref ref="log.file"/>
    </logger>

  3. Restart Dell EMC SupportAssist Enterprise service.

  4. Try your scenario after enabling debug log and get me the logs. (file location: C:\Program Files\Dell\SupportAssist\logs\application.log)
    You may upload them on any cloud portal or easily sent them over via email.

I'll forward the logs to our engineering and keep you posted.

Thanks and Cheers
Stefan

DellEMCStefan Richter
Community Manager
Brand certified, SMaC Professional
0 Kudos
abspyr
1 Copper

Re: Support Assist Enterprise with Managed Service accounts

Hello Stefan,

thank you for your reply.

This type of account, is a special one, which does not require a password. The password is auto-renewed by the system. We would like to deploy it like this for better security reasons.

In the link I have on my first post, it is in detail how it works and why it is used.

I will proceed with the next steps within this week and write back to you.

 

Thank you again

0 Kudos
Community Manager
Community Manager

Re: Support Assist Enterprise with Managed Service accounts

Hi abspyr,

no worries, I'll wait Smiley Happy

Cheers
Stefan

DellEMCStefan Richter
Community Manager
Brand certified, SMaC Professional
0 Kudos
Community Manager
Community Manager

Re: Support Assist Enterprise with Managed Service accounts

Hi abspyr,

thanks for sending the logs.

In the meantime, I received an answer from the Engineering team for SupportAssist Enterprise and they have confirmed that they don’t support domain account without passwords.

So the way you wanna use it is not possible. You have to use at least one Account with a password to use it.

If I receive anything else I'll let you know.

For now, this seems to be solved as it works as designed.

Cheers
Stefan

DellEMCStefan Richter
Community Manager
Brand certified, SMaC Professional
0 Kudos