EdgeSight in Trusted Domains Woes
|
by Nicholas Dille on 07/20/2009 | 3 Comments | 4,384 Views
|
When EdgeSight is set up correctly, all data is collected without any user interference especially no administrator credentials are required. Unfortunately, this is only true for historical reports generated from the EdgeSight database. As soon as real-time reports are used and workers are started manually on devices in trusted domains, the administrator's job gets tricky.
Untrusted Domains
In an environment with separate domains, the EdgeSight console presents the credentials of the user running the web browser to the agent when generating real-time reports and manually running workers. As agents are unable to validate these credentials against their local domain controllers, they are rejected and the console is forced to inquire about an adequate username and password.
Obviously, the administrator perceives the console the way it was designed: when an unmanaged device is monitored using EdgeSight, all interactive tasks require explicit credentials to be supplied.
Trusted Domains
When the EdgeSight console is executed on a device located in the same or in a trusted domain as the agents against which real-time reports and workers are executed, the credentials of the user running the console are presented when connecting to the agent. If these credentials do not represent an administrator of the device, the access is denied by the agent.
The user running the console is successfully authenticated but does not hold the necessary rights to perform the requested operation.
Workaround 1
Execute the web browser running the console in the context of an administrator adequate to manage the target device. This may require running several instances of the console for different types of target devices depending on the environment.
Workaround 2
If you are in control of all domains involved in the setup, create a user and assign administrative rights for all involved agents.
Solution
In the end, the only proper solution to this pitfall is an enhancement to the console inquiring about adequate credentials when the access is denied.
- ‹ previous
- 50 of 106
- next ›
+++ Profile Migrator 2 - Ein neuer Desktop, ein frisches Benutzerprofile und alle bewährten Einstellungen und Daten. Jetzt kostenlos und unbefristet testen!
3 responses for "EdgeSight in Trusted Domains Woes" |
Add Comment
Aktuelle Artikel
Über den Autor
  |
Nicholas Dille Head of Technology and Innovation Blogs about Centralized computing, virtualization and performance monitoring |
Most viewed
| 18,518 Views |
Who Needs Aero Glass Remoting? Although It's Cool! |
| 15,759 Views |
Emulating a Redirecting Load Balancer for WI and PNA |
| 14,224 Views |
Building Custom EdgeSight Reports Part 4 - The Wedding |
What about defining a proxy
What about defining a proxy account to authenticate to the farm under Company Configuration -> Security -> Farm Authentication? This gets around the requirement to use the credentials of the currently logged in administrator when querying real time data from the agents.
You can also define multiple credentials for different farms.
Alastair, I should have seen
Alastair,
I should have seen this one coming ;-) You are entirely right about using the Farm Authentication page to define a service account to be used when connecting to servers of a certain farm.
Unfortunately, EdgeSight does not offer a similar mechanism to authenticate against endpoint devices. I would prefer a "Domain Authentication" page on which to define authentication data when connecting to specified domains.
Regards,
Nicholas
I need to add a reference to
I need to add a reference to another workaround. In CTX111046, Citrix describes that devices can be configured to deliver real-time reports to remote users without administrative rights. The registry of the device requires an Active Directory group to be defined containing users accept for retrieving real-time reports.
In my opinion, this solution does not solve the dilemma because it requires changes (and some basic management) in another domain. I'd rather have the console ask or be able to save appropriate credentials for domains just like it is possible for farms. As I will not create real-time reports all day, I can cope with occasional credential dialogs.
Take care,
Nicholas