System Center, Operations Manager 2012, SCOM & More › Forums › Operations Manager › WEB Application Monitor and RunAs Account question
March 7, 2013 at 6:35 pm #111367
Can someone please help me with the following question.
I have a WEB Application Monitor (created via the Wizard in the Operations Manager Console). It uses a RunAs account for Authentication i.e. NTLM and the relevent RunAs account.
Now the Active Directory user associated with the RunAs account could not access the WEB page as it was not a member of the correct Active Directory group. So I added the user to the correct group, but I still get a failure.
“I assume” each time and every time the workflow runs with the above monitor, the RunAS Profile within the worksflow, which is associated with the RunAs account in question, would “logon” the RunAs account each time? rather than using a cached logon i.e. the first time with workflow run when the either the MP was delivered to the agent and the workflow ran or the healthservice was stopped/started.
The above is just my assumption at this point.
As you know, when adding an Active Directory user to a group in the user account needs to be logged out/in to build a new token including the SID of said group, otherwise you will not be able to access the resource.
I am thinking the I may be seeing the same/similar issue with my WEB montior, hence the question
Thanks very much in advance
ErnieMarch 7, 2013 at 10:13 pm #111369
how long have you waited? is it maybe an ad replication thing?
is the health explorer for the unhealthy monitor specifically saying it’s an unauthorized error?March 8, 2013 at 2:46 pm #111404
Try logging on to the agent that is running the check. Use PSEXEC to open an Internet Explorer process using the RunAs account and attempt to navigate to the web page. If that works, then check the Secondary Logon service on the agent and ensure it is enabled.March 10, 2013 at 12:26 pm #111460
Thanks for your suggestions, I decided to do the following to see the results
My AD account has access to the site in question. I therefore setup a Windows RunAs account using my credentials and associated this with the WEB monitor i.e. NTML Authentication.
However I still get the same issue, now there is a brief redirect on the main page before entering the site, but this works OK when I am using my AD account and as I am using the same AD account for the RunAs account, do not see why this should be a problem.
At this time I cam just trying to check the return status code is not 400 or above, but as you can see as it is 401 due to the access error the monitor goes read in any event.
I may end up writing my own custom monitor to see how this fares, any further suggestions more welcome.
You must be logged in to reply to this topic.