Password Manager in Operation
The order of attempting credentials
- The inventory beacon's own administrator credentials (the credentials under which the BeaconEngine service is running on the inventory beacon). This may be helpful for Windows devices in the same domain, if this account has rights on the target device, since this method of authorization does not require managing credentials in Password Manager.
- If the target device is a VirtualCenter server configured to use SSPI for credentials (which is the default setting), the inventory beacon tries Windows integrated authentication.
- If there is at least one credential known to Password Manager that has a filter declared, and the filter includes the target device, this matched credential is tried next. If there are multiple filtered credentials where the filters match the target device, they are ordered from the one having most matching filter definitions to the one having least, and tried in that order. (If there are multiple matching definitions that have the same number of filter matches, the order in which they are tried is indeterminate.)
- Credentials known to Password Manager that do not have any filters declared are tried next, in alphabetical order of the logical name.
Limiting the number of credentials
It is best practice to limit the number of entries in the Password Manager on each inventory beacon, both for performance and to avoid possible inventory failures.
If you have large numbers of credentials in your Password Manager, the performance of remote execution tasks will be adversely affected. It is recommended that you limit the number of credentials in Password Manager to those that are required, and that you review Password Manager periodically and remove any credentials that are no longer in use. (You can use the Delete... button in the Password Manager on each inventory beacon to remove selected credentials.)
Having too many credentials sharing the same account name may cause inventory failures, due to the following logic:
-
Context: The remote access lockout feature of Microsoft Windows shuts out access to an account for which the number of failed password attempts exceeds a set limit within a time-out period. The limit is defined in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\ MaxDenials
. Once an account is locked out, it will not function for remote execution until the time-out period expires, after which the account is reset and the lockout feature restarts. -
Issue: To access each target device, the inventory beacon tries each credential of the appropriate type from Password Manager in turn, until one succeeds or there are no more credentials (of the correct account type) to try. If you store many credentials with the same User name but different passwords (for example, SystemsUser/password1, SystemsUser/password2, SystemsUser/password3), trying each one in turn on the same device may eventually cause account lockout: if the number of passwords for the same user name is more than the limit for retries on this individual device, the account gets locked out for some time. If the lock-out is triggered, discovery or inventory collection times out during the lock-out period.
- Within the Password Manager, use the Filter to specify the device(s) to which individual account name and password pairs apply.
- Set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\MaxDenials
on target devices to be greater than the number of duplicated account names. For example, if you have 20 accounts calledSystemUser
listed in the password store, setMaxDenials=21
. - Add the local Administrator account for each target device to the local Password Manager, as this account is not locked out.
- Change the account names on individual managed devices to remove duplication.
- For each duplicate account name in your enterprise, set an identical password, so that only one account name/password entry is required in each Password Manager.
FlexNet Manager Suite (On-Premises)
2023 R1