Re: Version Control Agent permissions

Andy Stubbings · ‎09-11-2007

I am trying to configure a VCA with a VCRM, in one of our branch offices, the account I am trying to use for this keeps getting rejected with the following error:

The Version Control Repository Manager, at ***, could not be accessed using the specified account and password."

The account I am using has server operator rights on the VCRM server, is this enough? And if not what is the minimum I can get away with to get the VCA to contact the VCRM, as our AD Admins are very reluctant to grant full admin rights to any domain account?

The VCRM is also the DC for the branch office so local accounts are a no no.

Thanks.

Rich Purvis · ‎09-11-2007

Operator rights is all you need. The account does not have to have any special account privilege other than what SMH thinks about it. Which should make your AD Admins happy. For example - I can create an account called VCOperator. It does not have to have any special domain or server access - just needs to be a valid account. Then you create a group called VCAdmins or if it makes your AD Amins feel better VCOps. You then place your "VCOperator" account within the VCOps group. You then go to the SMH on the system running VCRM and give the VCOps group "Operator" or "Administrator" level privilege within SMH. Now since the system you are going to is running as a DC you might have to specify your credential as "mydomain\username" or "mydomain\VCOperator". Logging into SMH sometimes has this issue it may be the same with VC.
Good Luck,
-Rich

Why does my tivo keep recording Nickelodeon?

Andy Stubbings · ‎09-19-2007

I have now created a domain account "svchpsim" which has server operator rights in the VCRM Server's domain, added this account to the administrators group in the VCRM server's SMH settings. And it still doesn't work. What else can I try? Surely it shouldn't be this difficult to configure version control in secure environments!

Rancher · ‎09-20-2007

I created a local administrator account on my VCRM server, which is also my SIMS server.
I configured the VCA software with those credentials.

Andy Stubbings · ‎09-20-2007

The main problem is that this Server is in different domain to the SIM server, and is also a Domain Controller which means that local accounts are not possible. I need to create a Donain account (with minimum permissions - and definately not Admin Permissions) that will enable the VCA on the same server to communicate with the VCRM on the server, there is clearly a problem with authentication I just need to pin it down so I can fix it.

How exactly does any VCA communicate and authenticate to a VCRM, if I can understand this process a little better then maybe I can see where it's falling over?

Rich Purvis · ‎09-20-2007

How exactly does a VCA communicate with a VCRM? I can't tell you "exactly", I can tell you at a high level. The VCA communicates to the VCRM by programatically logging into the System Management Homepage of the system running the VCRM. The way that the SMH "authenticates" the credentials is by making a standard OS api call that will validate the credntials that have been passed. The VCA then creates a secure session with the VCRM that it uses to "pull" data from. I suspect the issue you are having revolves around the fact that the server running VCRM is a DC. I don't have a DC to play with or might be able to figure something out. But in general just logging into the SMH can be problematic for systems that are a DC. You have to explicitely list the domain as part of the credentials. That was one of the reasons that the SMH login screen added the this text:

examples:
username
localsystem\username
mydomain\username

-Rich

Why does my tivo keep recording Nickelodeon?

Rich Purvis · ‎09-20-2007

Ok, one other thing is you may be improperly configuring the SMH rights for the ID you created. By the comments in your reply I cannot tell exactly what you did but you should have taken your ID "svchpsim" and placed it into a domain group. I don't know what that would be but you can just make one up with no privileges like VCAdmins. You then tell SMH about this group either in the Administrator or Operator level group definition ofthe security tab. Since it is a domain you will need to specify it when you add it something like: DomainName\VCAdmins

-Rich

Why does my tivo keep recording Nickelodeon?

Andy Stubbings · ‎09-20-2007

I specfied both domain\svchpsim and domain\server operators (which svchpsim is a member of) at Administrator level in the SMH and still no joy, going by what you're saying this should do the trick, I can't see where the problem is, should I create a specificly created group and not use one of the built in ones?

The svchpsim account used to be a member of Domain Admins and everything worked fine, but we are reviewing security and it can no longer be a member of this group, we have created a policy so it is a member of local admins on non DC's but as most of our branch offices only have one multi role Server (DC, File, Exchange etc...) this is going to be a real problem once the svchpsim group is removed from Domain Admins in our largest Domain where we have around 15 sites all with a VCRM.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Version Control Agent permissions

Version Control Agent permissions