WEB Application Monitor and RunAs Account question

System Center, Operations Manager 2012, SCOM & More Forums Operations Manager WEB Application Monitor and RunAs Account question

This topic contains 3 replies, has 3 voices, and was last updated by Avatar of Ernie Ernie 1 year, 1 month ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #111367
    Avatar of Ernie
    Ernie
    Participant

    Hello,

    Can someone please help me with the following question.

    I have a WEB Application Monitor (created via the Wizard in the Operations Manager Console). It uses a RunAs account for Authentication i.e. NTLM and the relevent RunAs account.

    Now the Active Directory user associated with the RunAs account could not access the WEB page as it was not a member of the correct Active Directory group. So I added the user to the correct group, but I still get a failure.

    “I assume” each time and every time the workflow runs with the above monitor, the RunAS Profile within the worksflow, which is associated with the RunAs account in question, would “logon” the RunAs account each time? rather than using a cached logon i.e. the first time with workflow run when the either the MP was delivered to the agent and the workflow ran or the healthservice was stopped/started.

    The above is just my assumption at this point.

    As you know, when adding an Active Directory user to a group in the user account needs to be logged out/in to build a new token including the SID of said group, otherwise you will not be able to access the resource.

    I am thinking the I may be seeing the same/similar issue with my WEB montior, hence the question

    Thanks very much in advance

    Ernie

    #111369
    Avatar of curtmcgirt
    curtmcgirt
    Participant

    how long have you waited? is it maybe an ad replication thing?

    is the health explorer for the unhealthy monitor specifically saying it’s an unauthorized error?

    #111404
    Avatar of bkhsms
    bkhsms
    Participant

    Try logging on to the agent that is running the check. Use PSEXEC to open an Internet Explorer process using the RunAs account and attempt to navigate to the web page. If that works, then check the Secondary Logon service on the agent and ensure it is enabled.

    #111460
    Avatar of Ernie
    Ernie
    Participant

    Hello All

    Thanks for your suggestions, I decided to do the following to see the results

    My AD account has access to the site in question. I therefore setup a Windows RunAs account using my credentials and associated this with the WEB monitor i.e. NTML Authentication.

    However I still get the same issue, now there is a brief redirect on the main page before entering the site, but this works OK when I am using my AD account and as I am using the same AD account for the RunAs account, do not see why this should be a problem.

    At this time I cam just trying to check the return status code is not 400 or above, but as you can see as it is 401 due to the access error the monitor goes read in any event.

    I may end up writing my own custom monitor  to see how this fares, any further suggestions more welcome.

    Thanks

    <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01//EN” “http://www.w3.org/TR/html4/strict.dtd”> <HTML><HEAD><TITLE>You are not authorized to view this page</TITLE> <META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=Windows-1252″> <STYLE type=”text/css”> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD> <h1>You are not authorized to view this page</h1> You do not have permission to view this directory or page using the credentials that you supplied. <hr> <p>Please try the following:</p> <ul> <li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li> <li>Click the <a href=”javascript:location.reload()”>Refresh</a> button to try again with different credentials.</li> </ul> <h2>HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href=”http://go.microsoft.com/fwlink/?linkid=8180″>Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>401</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Authentication</b>, <b>Access Control</b>, and <b>About Custom Error Messages</b>.</li> </ul> </TD></TR></TABLE></BODY></HTML>

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.