locked
Run As Account wrongly distributed RRS feed

  • Question

  • Hi,

    I am new to SCOM and MP development. I have a number of issues configuring the a Management Pack for OpsMgr 2007 r2. (I am currently running CU3 for OpsMgr 2007 r2) There have been three attempts to configure the Management Pack to talk with our two Chassis. Each time has resulted in a massive amount of alerts being sent out from all of our installed agents. I used a less Secure Run-AS Account that uses Simple Authentication. Once this is done and applied to the particular Profiles, the Run-As Account gets distributed to all OpsMgr agents and management servers. Once this occurs a massive amount of alerts are generated with failures related to the Run-As Account. In my second attempt, I used a more-secure run-as account and manually distributed the run-as account to just the management servers. This also resulted in a massive flood of alerts from all agents. In the Third attempt, I only applied the More Secure Run-As Account to a particular class and I again started to experience unexpected alerts.

    The more prominent error comes is "Secured Reference Override Failure" and "Script or Executable Failed to Run" which shows the Account credential distributed to the management server but MP only meant to communicate with a particular server. Is there a problem in my MP implementation or this is normal?

    I guess that if this a problem then my implementation of Computer Discovery is not properly done as I used Target="$Reference/Windows$Microsoft.Windows.Computer". Is this distributing the credentials to all managed servers? How can I design filters for this problem in the MP?

    Thanks,

    Ravi

    Monday, May 16, 2011 5:22 AM

Answers

  • Yes I have implemented in the same way like if there is Chassis class then it is inherited from <Name>.Device which is inherited from <Name>.Entity then <Name>.Object and finally to System.Perspective. But there is no class targeting to Windows.Computer. Instead there is a class <Name>.Computer which inherits from Microsoft.Windows.Computer and I cannot find the use of this class. So I just need to know that how can i restrict it to those class which I select in the More Secured Option?

    One more thing, After selecting a particular class as target in run as profile assignment (say Blade Server), the server monitoring works fine but I get "Secured Reference Override Failure" associated to all other classes which are not selected:

    The Health Service on computer <Management Server> failed to resolve SecureReference override. This issue may affect multiple instances. Additional details: Account for RunAs profile in workflow "<Name>.89c01be22df24fbba8e510aefeb8755f.ChassisFan.General.Rule", running for instance "Fan 1" with id:"{...}" is not defined. Workflow will not be loaded. Please associate an account with the profile. Management group "<Management Group Name>"

    The Health Service on computer <Management Server> failed to resolve SecureReference override. This issue may affect multiple instances. Additional details: Account for RunAs profile in workflow "<Name>.f724d23d3ed84cc5bd265d2dc5da5f6c.ChassisFan.Discovery", running for instance "Fan Module 5" with id:"{...}" is not defined. Workflow will not be loaded. Please associate an account with the profile. Management group "<Management Group Name>

    and many more....

    Thanks,

    Ravi

    • Marked as answer by Yog Li Wednesday, May 25, 2011 9:49 AM
    Monday, May 16, 2011 10:19 AM

All replies

  • I guess that if this a problem then my implementation of Computer Discovery is not properly done as I used Target="$Reference/Windows$Microsoft.Windows.Computer". Is this distributing the credentials to all managed servers? How can I design filters for this problem in the MP?

    Thanks,

    Ravi

    If you target to all windows computers and also target your credentials to all computers, it will be distributed to all computers. First make sure you can identify you target with a target specific class (so not windows.computer). And then target the accounts to be distributed to that class only.

    Regards,
    Marc Klaver
    http://jama00.wordpress.com/
    Monday, May 16, 2011 8:33 AM
  • Yes I have implemented in the same way like if there is Chassis class then it is inherited from <Name>.Device which is inherited from <Name>.Entity then <Name>.Object and finally to System.Perspective. But there is no class targeting to Windows.Computer. Instead there is a class <Name>.Computer which inherits from Microsoft.Windows.Computer and I cannot find the use of this class. So I just need to know that how can i restrict it to those class which I select in the More Secured Option?

    One more thing, After selecting a particular class as target in run as profile assignment (say Blade Server), the server monitoring works fine but I get "Secured Reference Override Failure" associated to all other classes which are not selected:

    The Health Service on computer <Management Server> failed to resolve SecureReference override. This issue may affect multiple instances. Additional details: Account for RunAs profile in workflow "<Name>.89c01be22df24fbba8e510aefeb8755f.ChassisFan.General.Rule", running for instance "Fan 1" with id:"{...}" is not defined. Workflow will not be loaded. Please associate an account with the profile. Management group "<Management Group Name>"

    The Health Service on computer <Management Server> failed to resolve SecureReference override. This issue may affect multiple instances. Additional details: Account for RunAs profile in workflow "<Name>.f724d23d3ed84cc5bd265d2dc5da5f6c.ChassisFan.Discovery", running for instance "Fan Module 5" with id:"{...}" is not defined. Workflow will not be loaded. Please associate an account with the profile. Management group "<Management Group Name>

    and many more....

    Thanks,

    Ravi

    • Marked as answer by Yog Li Wednesday, May 25, 2011 9:49 AM
    Monday, May 16, 2011 10:19 AM