Kaseya Community

How are you handling user credentials for scripts/patching for remote systems?

  • So we're running into some issues with credentials. In the beginning, we setup a user account in each customer's AD, which we would then assign to K to use for patching and such. Since this was in AD, everything worked well. Or so we thought.

    Then we ran into a customer who has a large number of remote laptops for workers that are never in the office. We couldn't use the AD method above as some of those laptops are never in the office, so they don't have the cached AD/K credential yet.

    So we setup local accounts on those machines, added them to the admin group and gave K those credentials to use for scripts and patching.

    Problem is now, it appears if one of those machines comes into the office, we get errors from the DC about that local ID trying to autheticate to the DC for (I assume) access to the patch repository.

    How is everyone else handling this?

    Legacy Forum Name: How are you handling user credentials for scripts/patching for remote systems?,
    Legacy Posted By Username: DiPersiaTech
  • That sounds like you have the credentials set up incorrectly

    There is some confusion over the domain name and the local name (probably in Kaseya).

    Try using two different account names - one for AD and the other for the local account so the scripts do not get confused. Or just double check the Credential on the offending machine and may be reapply it

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Mark Shehan
  • Wouldn't they be set to download patches from the internet without using the customer's patch cache on their server? If so, does patching still work when they are in the office? I presume it's happening when something is happening, not just randomly for no reason.. Maybe that credential is trying to authenticate with the DNS server on the domain?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: wodger
  • Mark - how could we use two different accounts when K only allows us to use one set of credentials? What we did for this customer was setup a local account on all workstations, and gave K those credentials to use. Problem is, that local account is trying to authenticate against AD (And we're assuming to hit the patch respository.)

    Wodger - You're right - patching IS working as it's going out to the Internet. But it doesn't help us in that the machines that are in the office are also going to the Internet, we assume, since they can't authenticate since they're using a local account. And we'd prefer not to have to use AD credentials for all the office machines (And track them), and then use local credentials for the field people, who are sometimes in the office.

    We did try creating this local account in AD, hoping it would just pass the username and password along, but no love.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • DiPersiaTech
    So we're running into some issues with credentials. In the beginning, we setup a user account in each customer's AD, which we would then assign to K to use for patching and such. Since this was in AD, everything worked well. Or so we thought.

    Then we ran into a customer who has a large number of remote laptops for workers that are never in the office. We couldn't use the AD method above as some of those laptops are never in the office, so they don't have the cached AD/K credential yet.

    So we setup local accounts on those machines, added them to the admin group and gave K those credentials to use for scripts and patching.

    Problem is now, it appears if one of those machines comes into the office, we get errors from the DC about that local ID trying to autheticate to the DC for (I assume) access to the patch repository.

    How is everyone else handling this?


    Is the local ID the same as the domain ID? Do they share the same password?

    Michael

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: RCS-Michael
  • We tried both ways, essentially. When we first setup the local accounts, we did not setup a corresponding AD account. Then we thought it might pass through, so we setup the same ID and password on AD. But no luck either way.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • DiPersiaTech
    We did try creating this local account in AD, hoping it would just pass the username and password along, but no love.


    I think kaseya distinguishes between local and domain accounts.

    I gather that you (understandably) don't want to change the credential and file source settings when the remote laptop user comes into the office. So, if you try patching his laptop when he's in the office, using the local admin credential you set up and using "download from internet" as the file source, does it work? If that works, is there actually a problem? The agent wont' try to access the patch repository unless you actually change the setting, no matter where the laptop is located.

    In NZ it might be a problem for a large customer because of data caps and bandwidth used if lots of machines downloaded the same patches from the internet rather than using the local cache on the server. You might have that concern too?

    If the only problem is those error messages and you know what's going on, then I'd just ignore them.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: wodger
  • You basically hit the nail on the head. We definitely don't want to be dealing with changing credentials. And yes, patching does appear to be working. Our problem is, we don't want 100 machines hitting the internet for patching. And we don't want to manage two sets of credentials - one for office workers, the other for remote workers.



    wodger
    I think kaseya distinguishes between local and domain accounts.

    I gather that you (understandably) don't want to change the credential and file source settings when the remote laptop user comes into the office. So, if you try patching his laptop when he's in the office, using the local admin credential you set up and using "download from internet" as the file source, does it work? If that works, is there actually a problem? The agent wont' try to access the patch repository unless you actually change the setting, no matter where the laptop is located.

    In NZ it might be a problem for a large customer because of data caps and bandwidth used if lots of machines downloaded the same patches from the internet rather than using the local cache on the server. You might have that concern too?

    If the only problem is those error messages and you know what's going on, then I'd just ignore them.


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • You could use a software VPN to connect them to the office network.

    Maybe it could be a new security policy.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: FarVision
  • You can also leave the credentials BLANK and allow K to use the system account instead for patching - we do this for the travelling laptops and for non-domain connected machines, otherwise we do set a domain credential ... it seems to work much better this way for most things ... a few scripts will bomb unless a user is physically logged in, but for the most part it works UNLESS the password changes for the credential (then you'll need to reconnect the laptop and sign in again with the credentialled account.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: TBK Consulting
  • Wow, sounds like no good solution. Sure what TBK mentions would work, but you're again into managing different sets of credentials for different machines, and in some cases, some stuff will fail and/or the machine will need to reconnect to the network.

    We can't be the only ones with an issue like this. . .

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: DiPersiaTech
  • DiPersiaTech
    we ran into a customer who has a large number of remote laptops for workers that are never in the office ... It appears if one of those machines comes into the office ...


    DiPersiaTech
    we don't want 100 machines hitting the internet for patching


    I guess the size of the problem and its fix depends on the actual numbers we're talking about. It initially sounded like just one machine came in occasionally, not 100. If it were any of our relatively small customers WE would just be S.O.L. and would just handle the credential manually when patching.

    If we had customers large enough to warrant it we would probably look into the VPN idea. You could log into the VPN once on each laptop just to get the special domain credential to cache. You might even be able to script this. Then it would work without having to connect to the domain. Set the file source to be the LAN server / patch cache, and tick "Download from Internet if machine is unable to connect to the file server."

    I assume it's ok to use the remote internet connection to download potentially large patches. We have a customer with 3G cards with 1GB limits, so we don't patch their machines over this connection, we wait til it's on their home ADSL connection.

    I haven't experimented much with just using the system credential for anything really.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: wodger
  • Domain machine login to the server should be mandatory per x days. This is just good general practice. We had many of these issues when we handled security in a Fortune 100 company. It is the only way to sync admin accounts and all company software.

    We had login scripts to push our client AV and firewall agents, and a double handful of mandatory company apps. After a month or so of not checking in you became a rogue laptop and lost VPN login rights. Had to put it on the LAN in some office somewhere.

    Sorry to go off on a tangent. You're giving your end users too much leeway. Domain machines need to connect to the domain.

    If you're not going to use the Domain aspect of windows server, you could use Remote Control to create a special Kaseya account across the entire enterprise and have it not be a Domain Admin, just local admin. Blow it across the entire network that way.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: FarVision