SCOM Agent & RunAs Account Issue
Hi, I'm installing a production environment and I have an internet explorer 8 issue, some PCs in any moments starts browsing the web with SCOM Management Server Account, which is blocked by websense, instead of user's account.
On client logs I see Health Services is logging to the server with the RunAs account in order to retrieve updated configuration, I thought somehow (maybe because of health service secondary logon) internet explorer tries to use that account instead
of user's account to navigate.
If I take a look in task manager and iexplorer process shows as running as user's account, but web sense blocking page says the contrary.
After restarting the PC user can navigate normally.
Is there any way Health Service drive to this problem? why health service needs to log to the server with management server account credentials? is there any way change health service to access to the server with local credentials?
Client SCOM Agent is installed and running with local account.
Thanks for your help..
Joffre
August 26th, 2010 11:59pm
I'm trying to understand your issue here. Sounds like you're saying that for no good reason, suddenly IE will launch under the Management Server Action Account on any given computer with an agent installed? This is not right. There must
be something else at play here. For one, the Management Server Action Account should not even be delivered to agents. This is a "special" account that should only be running on Management Servers. And it usually isn't even configured to run
many workflows. And I'm not aware of any workflows whatsoever that requires IE to be launched.
I'd open up a case with Premier Support and have someone take a closer look at your environment. This sounds like a potentially serious problem.HTH, Jonathan Almquist - MSFT
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2010 3:01am
websense doesn't detect ie, it just detect http traffic. My guess would be to check the web templates in the authoring tab.Rob Korving
http://jama00.wordpress.com/
September 2nd, 2010 5:30am
Hello Joffre YC, are you ok with the responses here (thanks Jonathan)? Just wanted to make sure you are ok since this was flagged as escalated (thanks Yog).
Regards, JustinThis posting is provided "AS IS" with no warranties, and confers no rights. Use of attachments are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2010 12:43am
Thanks everybody for your answers and sorry for my delay. I am very concerned about this issue. As additional information I realized Operations Manager event logs says at any time that "it is validating action accounts" and I can see it is
referenced to management server action account which is a domain admin one.
As a temporary solution I make a rule for websense to admit that account. I emphasize it is only used for SCOM and there aren't other product or software in the PC client that could reference to it instead of SCOM Agent.
Thanks again for your help.
September 20th, 2010 2:42am
The events I found in any PC client are the next:
Tipo de suceso: Ninguno
Origen del suceso: HealthService
Categoría del suceso: Health Service
Id. suceso: 7026
Fecha: 22/09/2010
Hora: 8:54:46
Usuario: No disponible
Equipo: XXXXX
Descripción:
The Health Service successfully logged on the RunAs account Domain\account for management group XXXXX
Tipo de suceso: Ninguno
Origen del suceso: HealthService
Categoría del suceso: Health Service
Id. suceso: 7023
Fecha: 22/09/2010
Hora: 8:54:46
Usuario: No disponible
Equipo: XXXXX
Descripción:
The Health Service has downloaded secure configuration for management group XXXXX successfully.
Tipo de suceso: Ninguno
Origen del suceso: HealthService
Categoría del suceso: Health Service
Id. suceso: 7025
Fecha: 22/09/2010
Hora: 8:54:46
Usuario: No disponible
Equipo: XXXXX
Descripción:
The Health Service has authorized all configured RunAs accounts to execute for management group XXXXX.
Tipo de suceso: Ninguno
Origen del suceso: HealthService
Categoría del suceso: Health Service
Id. suceso: 7024
Fecha: 22/09/2010
Hora: 8:54:46
Usuario: No disponible
Equipo: XXXXX
Descripción:
The Health Service successfully logged on all accounts for management group XXXXX
Tipo de suceso: Ninguno
Origen del suceso: HealthService
Categoría del suceso: Health Service
Id. suceso: 7028
Fecha: 22/09/2010
Hora: 8:54:46
Usuario: No disponible
Equipo: XXXXX
Descripción:
All RunAs accounts for management group XXXXX have the correct logon type.
Thanks,
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2010 5:57pm
These are all normal events, but it sounds like you're using your MSAA as an action account somewhere. Check all your Run As Profiles, and see which computers have the MSAA associated to it. There is where you should find the answers you're
looking for.HTH, Jonathan Almquist - MSFT
September 25th, 2010 7:49pm
That's right, I found one run as profile using that account. Also the account is configured as "Less Secure" which means it will be distributed to all managed computers, it wasn't configured that way with any special purpose. Now when I configured the account
as "More Secure" the issue was solved.
I am a bit confused about what runAs account distributions is used for.
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2010 5:10am