Password Manager in Operation

FlexNet Manager Suite 2020 R2 (On-Premises)

The order of attempting credentials

When an inventory beacon needs a credential for a remote execution task, it tests credentials in the following order until either one credential succeeds or there are no further credentials to test. The credential test consists of an attempt to log into the target device using the credential under test.
Tip: The storage place of a credential, either in the CyberArk Vault or the local FlexNet Beacon vault, has no effect on the testing order, which is as follows.
  1. The inventory beacon's own administrator credentials (the credentials under which the BeaconEngine service is running on the inventory beacon). This may be helpful for Windows devices in the same domain, if this account has rights on the target device, since this method of authorization does not require managing credentials in Password Manager.
  2. If the target device is a VirtualCenter server configured to use SSPI for credentials (which is the default setting), the inventory beacon tries Windows integrated authentication.
  3. If there is at least one credential known to Password Manager that has a filter declared, and the filter includes the target device, this matched credential is tried next. If there are multiple filtered credentials where the filters match the target device, they are ordered from the one having most matching filter definitions to the one having least, and tried in that order. (If there are multiple matching definitions that have the same number of filter matches, the order in which they are tried is indeterminate.)
  4. Credentials known to Password Manager that do not have any filters declared are tried next, in alphabetical order of the logical name.
If the list of available credentials is exhausted without any match, the discovered device record is marked with an alert in the Discovered Devices list in the web interface for FlexNet Manager Suite, and for inventory tasks, the failure also appears in the Inventory Errors on All Discovered Devices report (Reports > Discovery and Inventory > Inventory).

Limiting the number of credentials

It is best practice to limit the number of entries in the Password Manager on each inventory beacon, both for performance and to avoid possible inventory failures.

If you have large numbers of credentials in your Password Manager, the performance of remote execution tasks will be adversely affected. It is recommended that you limit the number of credentials in Password Manager to those that are required, and that you review Password Manager periodically and remove any credentials that are no longer in use. (You can use the Delete... button in the Password Manager on each inventory beacon to remove selected credentials.)

Having too many credentials sharing the same account name may cause inventory failures, due to the following logic:

  • Context: The remote access lockout feature of Microsoft Windows shuts out access to an account for which the number of failed password attempts exceeds a set limit within a time-out period. The limit is defined in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\ MaxDenials. Once an account is locked out, it will not function for remote execution until the time-out period expires, after which the account is reset and the lockout feature restarts.

  • Issue: To access each target device, the inventory beacon tries each credential of the appropriate type from Password Manager in turn, until one succeeds or there are no more credentials (of the correct account type) to try. If you store many credentials with the same User name but different passwords (for example, SystemsUser/password1, SystemsUser/password2, SystemsUser/password3), trying each one in turn on the same device may eventually cause account lockout: if the number of passwords for the same user name is more than the limit for retries on this individual device, the account gets locked out for some time. If the lock-out is triggered, discovery or inventory collection times out during the lock-out period.

To avoid this problem, use any of the following approaches, as may be appropriate for your environment:
  • Within the Password Manager, use the Filter to specify the device(s) to which individual account name and password pairs apply.
  • Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\MaxDenials on target devices to be greater than the number of duplicated account names. For example, if you have 20 accounts called SystemUser listed in the password store, set MaxDenials=21.
  • Add the local Administrator account for each target device to the local Password Manager, as this account is not locked out.
  • Change the account names on individual managed devices to remove duplication.
  • For each duplicate account name in your enterprise, set an identical password, so that only one account name/password entry is required in each Password Manager.

FlexNet Manager Suite (On-Premises)

2020 R2