Problem:
========
Alert Message: "run as account failed
verification" Event ID: 7015
Analyze
=======
Event ID 7015 (Error):
Description:
The Health Service cannot verify the future validity of the RunAs account TEST\xxx for management group xxx.
The error is Logon failure: unknown user name or bad password.(1385L).
Description:
The Health Service cannot verify the future validity of the RunAs account TEST\xxx for management group xxx.
The error is Logon failure: unknown user name or bad password.(1385L).
=========
Runas
profile was less secure. We changed it to more secure.
More Information
================
Comparing More Secure and Less Secure Distribution
================
Comparing More Secure and Less Secure Distribution
Operations Manager distributes the Run As account credentials to either all
agent-managed computers (the less secure option) or only to computers that you
specify (the more secure option). If Operations Manager automatically
distributed the Runs As account according to discovery a security risk would be
introduced into your environment as illustrated in the following example. This
is why an automatic distribution option was not included in Operations Manager.
For example, Operations Manager identifies a computer as hosting SQL
Server 2005 based on the presence of a registry key. It is possible to
create that same registry key on a computer that is not actually running an
instance of SQL Server 2005. If Operations Manager were to automatically
distribute the credentials to all agent managed computers that have been
identified as SQL Server 2005 computers, then the credentials would be
sent to the imposter SQL Server and they would be available to someone with
administrator rights on that server.
When you create a Run As account, you are prompted to choose whether the
Run As account should be treated in a Less secure or More secure
fashion. More secure means that when you associate the Run As account with a
Run As Profile, you have to provide the specific computer names that you want
the Run As credentials distributed to. By positively identifying the
destination computers, you can prevent the spoofing scenario that was described
before. If you choose the less secure option, you will not have to provide any
specific computers and the credentials will be distributed to all agent-managed
computers.
Distribution and Targeting for Run As Accounts and Profiles
http://technet.microsoft.com/en-us/library/hh431855.aspx
Distribution and Targeting for Run As Accounts and Profiles
http://technet.microsoft.com/en-us/library/hh431855.aspx
沒有留言:
張貼留言