Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Network Performance Monitor (NPM) > Orion is locking me out of active directory

Orion is locking me out of active directory

Updated July 10th, 2017

Overview

If you are being locked out of Active Directory while working in Orion products, Orion may be repeatedly trying to log in to Active Directory using expired or mistyped credentials. This issue can also occur if you are trying to access the internet through a proxy server for which you use Active Directory authentication.

Environment

All Orion Core products 

Resolution

Account lockout due to expired or mistyped credentials can occur in several areas. Check, and where needed, correct the following credential issues:

  • Orion Windows Credentials for WMI 
    These credentials may also be used for SAM with "Inherit Credential From Node"
    • Log in to the Web Console
    • Settings > All Settings
    • Manage Windows Credentials
  • Orion Scheduled Tasks
    • Common tasks that can be scheduled in Orion are Unmanaging Elements. These tasks appear in the Task Scheduler Library on the Windows Server. Check the credentials used for these jobs.
  • Orion Discovery Jobs
    • Settings > All Settings > Discovery Central.
    • Check the different jobs if they have specified the credentials for WMI Polling.
  • SAM
    • Log in to the Web Console
    • Settings > All Settings
    • SAM Settings
    • Credentials Library
  • NCM
    • Check Scheduled Tasks in Windows Server 2003 or Task Scheduler in Windows Server 2008/2012/2016 for any jobs running under your credentials.
    • The jobs are set in Schedule > Display Edit / Jobs in NCM.
  • IPAM
    • Login to the Web Console
    • Settings > All Settings
    • IPAM Settings
    • Manage DHCP Servers
    • Edit the Servers and verify the credentials
  • VIM / IVIM (vCenter Polling)
    • Login to the Web Console
    • Settings > All Settings
    • Virtualization Settings
    • VMware Credentials Library
  • UDT
    • Login to the Web Console
    • Settings > All Settings
    • UDT Settings
    • Manage Active Directory Domain Controller
    • Edit the Servers and verify the credentials
  • Orion Services in Service Manager
    • If using Windows Credentials instead of LocalSystem account then ensure the account is exempt from Password Policy to change the password every xx days.
    • This can be verified via Run > Services.msc and checking the "Log On As" column
  • Alerts with Actions
    • Login to the Web Console
    • Settings > All Settings
    • Manage Alerts
    • Action Manager
    • Group By Action Type
    • Check Actions such as "Execute an External Program" for credentials
  • Mapped network drives
    • Remote Desktop to the Solarwinds Server
    • Open an Administrative Command Prompt
    • Run the command:
      net use
    • Check the mapped shares for the credentials
    • The Credential Manager can also be checked on the server or the command:
      cmdkey /list
  • Remote desktop (RDP) sessions
    • Check the AD credentials that are saved for remote desktop sessions.
    • RDP session timeouts - If the RDP sessions do not have a session timeout set for the SolarWinds Orion server, the AD account can be locked out based on the enforced policy.
  • License Manager proxy settings
    • See below

 

Additionally, extract more information from the Security Event logs of the Domain Controller. Information about the Caller Process ID and the Caller Process Name can help determine the cause of the account lockout.

You can also run the Microsoft Account Lockout Status tool on the Domain Controller to gather more detailed information about the reason why the account gets locked out. To download the tool, search for Account Lockout Status at the Microsoft Download Center.

 

Setting up an AD account for a proxy server

Create a dedicated AD account to be used exclusively for products and services to access the internet through a proxy server.

The account should meet the following requirements:
  • The account password should never expire. To avoid automatic password change, the account should belong to a different Group Policy Object in AD.
  • Because this account is used for impersonation, it should only have limited rights. For example, it should not have remote desktop access.

For more related information, consult Microsoft TechNet at http://technet.microsoft.com/en-US/

 

Setting up License Manager to use a proxy (where applicable)

After setting up an account that meets the requirements, check and modify the proxy settings of License Manager:

  1. Click Start > All Programs > SolarWinds > SolarWinds License Manager.
  2. Select any product from the list, and then click Upgrade.
    kb4554-license-manager-screen.jpg
  3. Enter any activation key, and check the proxy settings. If the proxy settings contain the old, expired account name and password, update the settings with an account that fulfills the requirements listed above.
    kb4554-license-manager-proxy-server.jpg

 

Setting up the Java Installer to use a proxy (where applicable)

If the account still gets locked out after fulfilling the requirements above, make sure that the Java installer does not use credentials belonging to a personal AD account.

To check your Java settings:

  1. Go to Control Panel > Java > General.
  2. Click Network Settings.
  3. Select Use proxy server, and then click Advanced.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

Last modified
08:41, 10 Jul 2017

Tags

Classifications

Public