Changing Application Identity Password

jph3 · 11-29-2005, 04:06 PM

We have to change our NS Service Account Password in AD. Is there a procedure to make this happen smoothly?

Support recommends changing the Application Identity Password first, then the AD password, then any additional services as required.

Has anyone run into any problems I should be aware of?

Nick · 11-29-2005, 04:24 PM

You're going to run the nssetup.aspx to change the password for the NS correct?

If so you should be good to go.

jph3 · 11-29-2005, 04:29 PM

Nope. I was going to change the password on the console and click the restart the services button. I guess this would be the wrong thing to do? Is NSSetup.aspx like doing a repair?

Nick · 11-29-2005, 04:52 PM

Run the Notification Server setup, http://localhost/Altiris/NS/Install/NSSetup.aspx. This link will rerun the last portion of the notification server installation, i.e. the setup and will allow the application identity and its password to be set, the email configuration, and finally the database. As the setup is rerun it will automatically populate the fields with the previously used values, including the old password for the application identity. Only modify the password and select the 'Next' button through the rest of the options since they will typically remain the same.

This setup process does not reinstall NS. It does not replace any of the Notification Server files. All it does is reset the password and leave the NS console in a paused state.

There are no implications with the NS Agent so nothing needs to be done with any of the client machines. They will reconnect as normal once the setup process has finished and the notification server has been restored from a paused state.

LordofthePatch · 11-29-2005, 04:59 PM

Geesh...I could of told you that...

jph3 · 11-29-2005, 05:00 PM

Sounds like a plan. While the NS is paused, it'll give me an opportunity to reset the password for all of the services that use that account. Two birds, I tell ya. Thanks!

Nick · 11-29-2005, 05:37 PM

Quote:

Originally Posted by clfrnacwby

Geesh...I could of told you that...

Ok Sheriff, your stars getting a bit dusty.

So sayeth the Judge.

JAustgen · 11-30-2005, 10:49 AM

For you super mods out there --

If you change the service account password and update everything for the NS, then rerun NSSetup, you're also going to need to do a repair on ANY hotfixes that you have installed. Otherwise your licensing model and some other miscellaneous things will not work properly.

For example:
You have an SP2 NS build 5287 and you rerun nssetup.aspx. After it's complete you will need to access Add/Remove programs and run a repair on HF 19, 20, and 22.

Nick · 11-30-2005, 10:55 AM

Excellent catch Jim! I didn't know that.

jph3 · 11-30-2005, 04:31 PM

I know it now, too. After the password change, the help desk was getting a "Cannot find table 0" error when creating new work orders. After doing the HF repairs, it was fixed.

For future reference, this link is exactly what happened when I didn't perform the repairs so it's nice to see the cause and effect:

http://www.altirisadmin.com/vbulleti...ght=find+table

Thanks a ton. Once again this forum saved my butt.

Nick · 11-30-2005, 04:41 PM

I'll work on making this a KB Article.

theone97 · 02-01-2006, 12:32 PM

Quote:

Originally Posted by Nick

Run the Notification Server setup, http://localhost/Altiris/NS/Install/NSSetup.aspx. This link will rerun the last portion of the notification server installation, i.e. the setup and will allow the application identity and its password to be set, ....

I thought if you wanted to reset the Application Identity password all you had to do was modify it on the Application Identity page under Configuration Tab \ Server Settings \ Notification Server Settings \ Application Identity. Then click Apply and Restart Service. Isn't that *why* Altiris put that page there??

I'm curious, why do you recommend this other procedure of running nssetup.aspx (and of course repairing the HF from Add/Remove)...

Is the Application Identity page setting not reliable or something?? Is this a "hidden feature" of NS that is simply not documented?

theone97 · 02-03-2006, 09:12 AM

Quote:

Originally Posted by scaudill

I thought if you wanted to reset the Application Identity password all you had to do was modify it on the Application Identity page under Configuration Tab \ Server Settings \ Notification Server Settings \ Application Identity. Then click Apply and Restart Service. Isn't that *why* Altiris put that page there??

I'm curious, why do you recommend this other procedure of running nssetup.aspx (and of course repairing the HF from Add/Remove)...

Is the Application Identity page setting not reliable or something?? Is this a "hidden feature" of NS that is simply not documented?

So, any takers on this one?

theone97 · 02-06-2006, 01:16 PM

Anyone?? (a tumbleweed blows by....)

Nick · 02-06-2006, 01:24 PM

I'm not positive on this. I have always used the nssetup.aspx for changing.

theone97 · 02-21-2006, 01:02 AM

Hi There...

I think I found a possible answer to my question. I am taking a class and the prof said that when you change the application ID on this page it does not update the SQL credentials (if you are using application identity for SQL connectivity) and that's why you have to run nssetup.aspx to fix it....

Any ways, thought I'd put my 2 cents in..

Steve

kschroeder · 03-04-2006, 05:08 AM

I t hink I remember seeing something about this in the SP3 release notes that it had been fixed in the SP3. Haven't tried it myself though, so the NSSetup.aspx will stay on my list. I'm sure that my 180 day mandatory password change is coming up soon...argggh!

wchannell · 03-14-2006, 02:00 PM

Hello,

thought I would share what I have ran accross. When running the NSConsole setup this can reset your built in permissions which is good if you jacked your permissions but bad if you customized them like crazy.

Note: It will keep custom role permissions set in place on anything you created manually in your console but will reset all inherits regardless.

Below are the recommend steps for resetting the NS Password under SP2 using Mixed mode SQL auth. If using pure SQL you will need to adjust it manually in your database.

1st: Change password in the NS Console (Application Identity)
---If you have multiple NS's using the same account, change it on each NS before changing in AD or you will not be able to logon the console.
2nd: Change password in AD
3rd: Change password on all Altiris Services
Example: Message Dispatcher, NS Receiver, etc...
4th: Reboot (just because its windows hehehe)
5th: Test your console locally and remote.

If you jack up the NS, then re-install the console (NSsetup.aspx). But keep in mind it can reset your built in permissions and inherited groups on all default collections, reports etc...

I hope this helps and let me know if you know of better options.

kschroeder · 03-22-2006, 10:01 AM

There is a KB article about this now too:
http://kb.altiris.com/article.asp?article=19003&p=3

It is not terribly clear, but I think this means you should change the domain password first then run AeXConfig.exe as per the article. It's a bit of a "chicken and the egg" problem, plus you have to contend with the possibility of the account getting locked out again if someone tries to access the console between the time you change the password and update the NS.

ldeahl · 05-23-2006, 02:26 PM

If you have software Dist. packages in effect (policies enabled) and the package says to run as a specific user (say MYDOMAIN\Altiris which is an admin since local users may not be....) does this procedure change the embedded pw info?

Is the pw info in the package delivered to the client PCs? If so, does it update with the new info?

I work more in DS than NS and there's a Task Password option to let you globally change user credentials when they are embedded in tasks in DS ..what's the equivalent in NS?

We recently changed our service acct pw and had the acct constantly lockout from various user's machines so I suspect NS' software dist jobs were using cached creds.

We need to change our service acct pw every 90 days so I'm creating a script to change the domain password and then change the altiris services (DS and NS) that have it cached. I need to determine how to automate the DS task changes and what to do with NS as a whole...(App ID, cached sw dist passwords, etc...). Not to mention the same acct is embedded in the boot disk images for DS...

Don't suppose anyone has a doc or white paper that coves all of this, huh?

kschroeder · 05-23-2006, 03:13 PM

LDeahl,
No, this procedure will not modify that username/password combo in a SWD package; the username/password is stored (encrypted) within the database (and in fact it appears it is not even displayed encrypted when you export the package to an XML file in my test I just did). Actually I can't even figure out where it is hidden in the database; it seems like it should be in the Password column of the SWDProgram table, but my test case shows a blank value for that field (though viewing the Program again shows a masked password intact). Must be some behind the scenes security going on there...

skakid · 05-25-2006, 10:13 AM

If I'm using the same service account for my DS where do I make the changes for that?

ldeahl · 05-25-2006, 10:29 AM

Assuming your domain service acct is used in your tasks (DS or NS), here's where I initially see changes being required. I'll add to the list as I think of more...everyone else, feel free to critique/add, etc.

AD Domain svc acct
Services on DS and NS servers that run as domain service acct.
Tasks in DS (Use the Task Password tab in the DS options..)
DS Boot Disks used in PXE booting (logon to Express share F:..)
NS - Application Identity
NS agent's SWD tasks and packages that are set to run as a domain acct.

Any more?
Also..I found a PWUtil.exe in the express share while looking for a way to script the DS task password changes...anyone know what it is?

JDS300 · 08-24-2006, 11:17 AM

Ugh, this is the worst thing I've done.

We changed the password in AD, re-ran NSSetup.aspx, and now the account is continously being locked.

kschroeder · 08-24-2006, 11:22 AM

JDS300:
THis is probably because you have the ACC set to "Use application identity" for accessing packages. So your clients haven't retrieved the new password yet (still using the old cached one) and are locking the account out. To fix it:

Configuration > Altiris Agent > AA Configuration > Global Altiris Agent Settings
Click the Authentication tab
Change from "Use application identity" to "Use specified credentials" and put in a low-rights service account/password.

You'll still have to wait for all your clients to get the new configuration, but once that goes through you should be OK.