What are the single sign-on options under Configure Services?
Single Sign-On allows users to login to the Win Console without requiring credentials to be entered. Below are the three options:
The following article contains information on manipulating your database.
It is CRITICAL that you have a full backup of your database prior to making any modifications to the database.
Failure to backup your database may result in permanent loss of some, or even all data.
Please consult with your DBA where applicable.
Attached is a SQL Query that will delete a console user and all of their associated details. This should only be used as a last resort, as you will lose data.
Any objects owned by that user will be removed, including (but not limited to)
This script is NOT supported by Ivanti. Use at your own risk.
In the script, you will need to provide the username of the user. The place to do so is indicated in the SQL script itself.
This document was created to cover various reasons why the agent won't communicate with the core server.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL, Value name: ClientAuthTrustMode, Value type: REG_DWORD, Value data: 2
Any pop up window from the console, usually under agent settings or Patch and compliance, will not open. The button will be clicked and nothing else happens.
Please run the following command on the core server database. Be sure that you are taking the proper backups and snapshots prior to making any database modifications.
begin tran delete from KEYVALUE WHERE APPLICATIONNAME = 'SWDTaskSettings' AND KEYNAME = 'DefaultTaskOptions' commit
Once this is done running, relaunch the console and test creating a task.
Symptom:
In the LDMS 9 Webconsole under administration preferences you receive the following red text error on the license page Error "Exception: Conversion failed when converting the nvarchar value
"
Resolution:
ApplyDownload the Latest Service Pack for Ivanti / LANDESK Software Products or patch WEB-4202390
Workaround:
This error can be resolved by removing a row from the database. (make sure to back up database before doing any delete statements)
In SQL Server Manager open a new query under the LDMS Database instance
Select * from CoreConfiguration
Note: Depending on configuration this table might return multiple rows. Find the row with the configuration name AgentDiscovery this is the row we need to remove.
In this example the delete statement would be:
delete from coreconfiguration where coreconfiguration_idn = 2
Some users have seen problems with installing the LANDesk Management Console for LDMS 9 on a Windows Vista machine. The client machine will pass the prerequisite checker, but then once the installer starts, an error is presented that "The following prerequisite components are Missing: Microsoft .NET 2.0 or 3.0 must be installed". This will appear despite having .NET installed, even up to version 3.5 SP1. This will happen on any Vista or Server 2003 computers that have IIS or IIS components installed or active, but do not have the ASP.NET components installed. Normally this occurs on Vista when the client machine has Exchange management tools installed.
This appears to be caused by a conflict on the Windows Vista computer with IIS and .NET. The prerequiste checker correctly identifies Microsoft .NET installed on the machine, but the setup application checks to see if IIS is installed, it then checks to see if the ASP.NET functionality is installed on the IIS component.
This can be resolved by installing the ASP.NET on the target computer or removing the Application Server Role. To do this, open the "Turn Windows features on or off" dialog (Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off) and install the ASP.NET component (Internet Information Services -> World Wide Web Services -> Application Development Features -> ASP.NET)
Once this is installed, restart the Remote Console installation and it should complete successfully.
When logging into the Web Console you receive the error:
"Unable to validate user with the database".
With Log events turned on you will receive the following Event Viewer Error:
"OracleSQLServerName: TNS:could not resolve the connect identifier specified."
HKLM\Software\LANDesk\ManagementSuite\Core
Type: DWORD
Name: LogEvents
Value: 1
The description for Event ID ( 0 ) in Source ( LANDesk Abstraction Layer ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Request to get database connection string.L01NTLDK01 specified as core. |
Resolution
LANDesk has no information on this other than that we are attempting to hit the following site and proxy authentication is failing:
https://CoreServer/landesk/managementsuite/core/ssl/information/databaseinformation.asmx
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=5b2c0358-915b-4eb5-9b1d-10e506da9d0f "Console Initialization Error: The connection was not closed. The connection's current state is open."
Checking the console log (C:\Program Files\LANDesk\Management Suite\Console.exe.log) will bring up errors similar to these one's listed below:
5/18/2009 3:48:27 PM : Open database failed: The connection was not closed. The connection's current state is open.
Console commands run as the user logged into the Operating System not the User Logged into the Console.
Many security models require that users log into windows operating system as a user with minimal priviliges, and use a user with more rights only when necessary.
| This users has minimal privileges. |
| This users more privileges and when necessary process should be elevated to run as this user. |
If this security model is used, it often occurs that users launch the 32-bit Console without switching users but then log into the 32-bit Console as the privileged user.
Many Console actions, especially right-click actions such as Remote Control, will fail or result in a prompt for credentials.
See the following article for more information:
Remote Control - Understanding the User Accounts Involved in Remote Control
Running the Console.exe process as a as the minimally-privileged user but logging into the Console as a privileged user does not cause processes launched by Console actions to occur as that privileged user. Instead processes are launched as the minimally-privileged user, which is logged into the operating system.
The Console.exe process should always be launched as the privileged user.
To accomplish this change the 32-bit Console shortcut to prompt for the user when launched.
The purpose of this article is to connect to a off core SQL Server without using LANDesk technology to ensure database connectivity. A connection will be created from the LDMS core server to the SQL server using Microsoft’s SQLCMD.exe tool. SQL activity monitor will be used to monitor the connection watching for the connection to drop. If the connection drops it can be concluded that there is an issue with network connectivity between SQL and the Core that will need to be resolved before further troubleshooting can be done.
Tools Needed
Microsoft SQL Server Command Line Query Utility SQL 2008
Microsoft SQL Server 2008 Command Line Utilities
The SQLCMD utility allows users to connect to, send Transact-SQL batches from, and output rowset information from SQL Server 7.0, SQL Server 2000, SQL Server 2005, and SQL Server 2008 instances. The bcp utility bulk copies data between an instance of Microsoft SQL Server 2008 and a data file in a user-specified format. The bcp utility can be used to import large numbers of new rows into SQL Server tables or to export data out of tables into data files.
Note:
This component requires both Windows Installer 4.5 and Microsoft SQL Server Native Client
Microsoft SQL Server 2008 Feature Pack, October 2008 link
Microsoft SQL Server 2008 Command Line Utilities
X86 Package(SqlCmdLnUtils.msi) - 7234 KB
X64 Package (SqlCmdLnUtils.msi) - 12212 KB
IA64 Package(SqlCmdLnUtils.msi) - 16515 KB
Microsoft SQL Server 2008 Native Client
X86 Package (sqlncli.msi) - 4549 KB
X64 Package (sqlncli.msi) - 7963 KB
IA64 Package (sqlncli.msi) - 11112 KB
Steps for testing
Core Side
If the connection is successful you will see a >1 on your screen.
For a full list of switches for SqlCmd refer to this MSDN article.
SQL Server Side
At this point you will want to view the activity monitor on the SQL server to see if the connection has stayed up. Viewing the activity monitor at the end of the day or the next day will determine if there have been any disconects. SQL command line utility will not reconnect if there is a drop either by SQL or network. The application name(SQLCMD) is listed in application column of Activity Monitor so it is easy to identify the sqlcmd connection.
From within the LANDesk Console one of the more useful features is the ability to right click a machine and perform administrative tasks.
Some of these tasks are:
Request an inventory scan
Wake up a machine
Shut down a machine
Request a Security scan
When one of these options is selected the LANDesk console make a call to IIS and passes the command line parameters to the core.secure/corerequest.asmx page.
The URL for this page on the core server is:
http://localhost/landesk/managementsuite/core/core.secure/corerequest.asmx
This page is seen here being accessed from the core server.
Each command requires a client side identifier, this can be the Machine GUID (found in the registry under HKLM\Software\Landesk\Common API) or the machines IP address.
If the right click commands fail to run, check the following.
1. Can theCoreRequest page be browsed from the Console running the commands?
http://[core server name]/landesk/managementsuite/core/core.secure/corerequest.asmx
2. Verify that the command is being sent from the core server.
On the core server under the \\[Your Core Server]\LDMAIN share the raxfer.log file will store the attempt to run the remote execute.
<block>Thu, 19 Mar 2009 10:20:56 4724 388 Performing remote execute, target 10.16.228.214:9594, hash 5b5c5c77</block>
3. Verify that the command was recieved on the client. In C:\Program Files\LANDesk\Shared Files\servicehost.log the command line parameters will be displayed.
<block>
Thu, 19 Mar 2009 10:36:14 2608: Exec: Exec: Launch request <"C:\Program Files\LANDesk\LDClient\vulscan.exe" /id=7 /run ldiscn32.exe /NTT=slc-smith-88:5007 /S="slc-smith-88" /I=HTTP://slc-smith-88/LDLogon/ldappl3.ldz /NOUI> (sync 0, timeout 300)
</block
Problem:
Possible resolutions:
iisreset
Note: Running a directory at the command prompt may be necessary to determine that this folder is empty. Several problems have happened when opening the folder in Windows Explorer and it contains 65,000+ files.
Note: Sometimes the temp directory is not at C:\Windows\Temp. This is dependent on the OS configuration. Alternative options include C:\WinNT\Temp. The best way to find the correct directory is to open a command prompt and run:
cd %windir%\tempor select Start -> Run and run:
%windir%\temp
Please check with particular care for the presence of any additional Temp folders that you may have defined in your environment. Not erasing the correct temp folder will result in failure of the resolution of your issue.
The 32-bit console shows the last logged in user. Can showing the last username in the 32-bit console be disabled?
Yes.
1. Open theCoreConnectionMRU.xml with a text editor and remove the username.
2.Thenset the CoreConnectionMRU.xml to read only.
Note:This must be done separately on the Core and the Remote 32-bit consoles.
The following is a twenty minute E-Learning session to help you understand the cause of the error "Unable to validate the current user with the database" when logging into the web console.
It explains the error, shows you have to duplicate the error, shows you why the error occurs, and finally how to resolve the error.
This document is created to provide an LDMS 8.8 matrix that will help indicate when the Web Console will successful authenticate versus when authentication fails with: "Unable to validate the current user with the database".
Failure to authenticate to the Web Console results in the following error:
Unable to validate the current user with the database.
For more information on this error, please see the following community article:
Web Video: Unable to validate the current user with the database
| Domain Function Level | How is the web console user added to the LANDesk Management Suite Group on the Core Server? | Domain Group type | Nested? | Nested Group Type | LANDesk1 COM+ Application Identity | Result | Community Article |
|---|---|---|---|---|---|---|---|
| Mixed mode | Domain user is not in the LANDesk Management Suite Group | n/a | No | n/a | Default | Unable to validate the current user with the database | DOC-3005 |
| Mixed mode | Domain user is directly added. | n/a | No | n/a | Default | Successfully logs in. | n/a |
| Mixed mode | User is in a Domain Security - Global group which is added. | Security Group - Global | No | n/a | Default | Successfully logs in. | n/a |
| 2000 Native | Not tested (but is assumed to be the same as 2003 Native) | n/a | n/a | n/a | n/a | n/a | n/a |
| 2003 Native | Domain user is directly added | n/a | No | n/a | Default | Successfully logs in. | n/a |
2003 Native | User is in a Domain Security - Global group which is added. | Security Group - Global | No | n/a | Default | Successfully logs in. | n/a |
| 2003 Native | User is in a Domain Security - Global group nested in another Domain Security - Global which is added. | Security Group - Global | Yes | Security Group - Global | Default | Unable to validate the current user with the database | DOC-3006 |
| 2003 Native | User is in a Domain Security - Global group nested in another Domain Security - Global which is added. | Security Group - Global | Yes | Security Group - Global | Domain User | Unable to validate the current user with the database | DOC-3007 |
| 2003 Native | User is in a Domain Security - Global group nested in another Domain Security - Global which is added. | Security Group - Global | Yes | Security Group - Global | Domain User also in the LANDesk Management Suite group. | Successfully logs in. | n/a |
| 2003 Native | User is in a Domain Security - Local group which is added. | Security - Domain Local | No | n/a | Default | Unable to validate the current user with the database | DOC-3008 |
| 2003 Native | User is in a Domain Security - Local group which is added. | Security - Domain Local | No | n/a | Domain User also in the LANDesk Management Suite group. | Unable to validate the current user with the database | DOC-3009 |
| 2003 Native | User is in a Domain Security - Local nested in another Domain Security - Global group which is added. | Security - Domain Local | Yes | Security - Domain Local | Domain User also in the LANDesk Management Suite group. | Unable to validate the current user with the database | DOC-3009 |
If the LANDesk1 Com+ Identity information is correctly a domain user that is in the LANDesk Management Suite group on the Core Server and this error still occurs, the following table contains other causes:
| Problem | Community Article |
|---|---|
| Account used for the LANDesk1 COM+ Application Identity is disabled | DOC-3010 |
| Account used for the LANDesk1 COM+ Application Identity is locked | DOC-3012 |
| Account used for the LANDesk1 COM+ Application Identity has had a password change | DOC-3015 |
| Server Certificate is missing in IIS possibly due to restoring to an IIS backup | DOC-3016 |
========================================
To Create a Column Set
========================================
1. Click Tools | Administration | Column Set Configuration
2. Right click My Column Set and click New Column Set...
3. In the Column Configuration dialog, enter a name for the new column set
4. Select inventory attributes from the list and add them to the Columns list by clicking Add to columns. Remember to select attributes that will help you identify the devices in the device list or returned by the query
5. (Optional) You can customize how and where the columns appear in the network view by directly editing a component's heading, alias, and sort order fields; or by removing or moving the selected component up or down in the list with the available buttons
6. (Optional) You can specify more precise qualifying data for software components. Select the software component, click the Qualify button, and then select a primary key value from the list of available values
7. Click OK to save the column set
========================================
To Apply a Column Set
========================================
1. Click and drag the column set into the network view on the right or drag over the device group on the left
NOTE: Some inventory items may have more than 1 result. If that's the case duplicate devices may show in the console to represent each entry.
For more information, see page 31-33 of theThe specified item was not found.
***NOTE*** At this time you are not able to set custom column sets for the scheduled tasks tool.
Selecting "manage local users and groups" on a device returns no information
One resolution for this issue is to ensure that the ASP.NET account has read permissions on the Inetpub folder on the LANDesk Core Server.
***Following is more troubleshooting information***
Troubleshooting and log files
Console calls a core webservice to contact CBA and run \ldclient\localaccount.exe on client to perform the local user query or modification.
1- Console.exe.log
Checking console log is a good start, it will record the detail error information when 'Manage local users and groups' window get blank. Most common cause for this issue is wrong IIS permission and directory security setting, console will log the detail http error like "Server Unavailable"...
Console log path: Core or Addition console
\Program Files\LANDesk\ManagementSuite\Console.exe.log
2- Web service access
A. Please confirm following URL can be access from core server or additional console,
http://<corename>/landesk/managementsuite/core/core.secure/LDRemoteManageAccount.asmx
***Replace <corename> by your coreserver host name***
If get any HTTP error here, please check IIS log as well and get HTTP error code at the end of log item,as following,
2010-01-18 22:36:08 W3SVC1 192.168.100.32 POST /landesk/managementsuite/core/core.secure/LDRemoteManageAccount.asmx - 80 - 192.168.100.32Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.42) 401 5 0
IIS log path: Core
\WINDOWS\system32\LogFiles\W3SVC1
B. HTTP Error code and resolutions
If access LDRemoteManageAccount.asmx failed,please go IIS manager-Default web site-Default web site-landesk-managementsuite-core-core.secure
HTTP 401 5 0
- Right click core.secure and properties,Directory Security tab, Authentication and access control, ensure only 'Integrated Windows authentication' was checked.
HTTP 500 0 0
A. Right click core.secure and properties,Virtual directory tab, confirm the setting like this screen shot,
B. Right click core.secure and Permissions, the default permission should be assigned as following,
Full Control: Administrators,LANDesk Management Suite,SYSTEM
Read&Execute/List Folder Contents/Read: ASPNET,NETWORK SERVICE
C. Identity setting for Application pools - LDAppmain, default identity should be NETWORK SERVICE, change it to LOCAL SYSTEM for test purpose.
Run IISRESET and try again,
Note: This should be used only for testing, Microsoft recommends that AppPools run as Network Service. If this resolves the issue, it usually signifies that the Network Service does not have proper rights to objects in IIS, can be either NTFS or IIS permissions.
3- Client
If console.exe.log have no error and only log message like "call webservice to get local account information", LDRemoteManageAccount.asmx also can be opened successful, it might caused by network traffic blocking or client side issue.
A. Confirm CBA service can be access from core, the binocular icon display correctly in console network view. if not, check following,
- LANDesk Management Agent service is started,TCP&UDP 9595 is listening on client.
- Browse http://<client_name/IP>:9595 from core can open web page correctly.if not, check client firewall and network security setting to see any policy block the traffic.
B. Check following log for client side issue.
Log path: Client
C:\Program Files\LANDesk\Shared Files\residentagent.log
C:\Program Files\LANDesk\Shared Files\Servciehost.log
C:\Program Files\LANDesk\LDClient\localaccount.exe.log
***Attachment LocalUser_client_log.txt is a success log on client***
How user accounts can get locked out when using LANDesk Management Suite.
Service Accounts used by LANDesk
There are many places that user credentials can be stored in the LANDesk Management Suite. If the password is changed on the user account and static credentials with the old password are used it will lock out the account when the lockout threshold has been passed.
Here are some possible locations to check when an account gets locked out:
1) Services
a) Open the console on the core server.
b) Configure - Services - Scheduler - Change Login
c) Verify the accounts in the service login as well as the alternate credentials.
2) Other services
a) Run "services.msc" on the core server.
b) Look at the "Log On As" column for services to see if any are running under a user account.
3) COM+ applications on the core
a) Start - Programs - Administrative Tools - Component Services.
b) Component Services - Computers - My Computer - COM+ Applications.
c) For both LANDesk and LANDesk1, right click, Properties - Identity.
d) Verify the credentials for both COM+ applications.
4) Preferred servers
a) Open the console on the core server.
b) Configure - Preferred server.
c) Edit each server and verify the credentials being used.
5) Directory Manager
9.5
a) Tools - Distribution - Directory Manager.
b) Remove any configured LDAP directories.
9.6 (This is similar to step 6)
a) Configure - Manage active directory sources
b) Remove any configured LDAP directories and readd them or just edit the username / password
6) Users Active Directory
9.5
a) Tools - Administration - Users.
b) Click on the "Login to Active Directory" icon.
c) Even if you are logging in to Active Directory it will not display here. (You can see if you are by looking in the ActiveDirectory table in the LDMS database).
d) Enter a good user account that has access to Active Directory. This will overwrite the existing credentials in the ActiveDirectory table (as you can only specify one account for this).
9.6, 2016
a) Configure - Manage active directory sources
b) Remove any configured LDAP directories and readd them or just edit the username / password
c) Even if you are logging in to Active Directory it will not display here. (You can see if you are by looking in the ActiveDirectory table in the LDMS database).
d) Enter a good user account that has access to Active Directory. This will overwrite the existing credentials in the ActiveDirectory table (as you can only specify one account for this).
7) Mapped Drives
Check for any mapped drives on the core server or console machine (if using a console). Disconnect all mapped drives.
8) Security and Patch Downloads-
9.5
a) Tools - Security - Security and Patch Manager.
b) Click on the Download updates icon.
c) Verify any credentials on the Proxy Settings and Patch Location tabs.
9.6, 2016
a) Tools - Security and Compliance - Patch and Compliance
b) Click on the Download updates icon. (yellow diamond with a down arrow)
c) Verify any credentials on the Proxy Settings and Patch Location tabs.
9) Scan and Repair Settings
9.5
a) Tools - Security - Security and Patch Manager.
b) "Configure settings" icon - Scan and Repair Settings
c) Edit settings, check for credentials on the MSI tab.
9.6, 2016
a) Tools - Configuration - Agent Settings - All agent settings - Distribution and Patch
b) All listed items are Scan and Repair Settings (There could be many)
c) Edit settings, check for credentials on the MSI tab
10) OSD Scripts & OS Provisioning
It can be difficult to sort through all of the OSD scripts, especially if you have many. To make this easier, simply do a Windows search for any files in the LANDesk\ManagementSuite directory (and all subdirectories) that contain the text of the username that is getting locked out. The OSD scripts are stored in the LANDesk\ManagementSuite\scripts directory.
a) for OS provisioning templates - each template has multiple actions, and many of these actions can have cached credentials. Unfortunately there is not an easy way to search all template actions for cached credentials.
b) Wherever possible, you should use a Public Variable to represent usernames and passwords. If the username or password needs to be changed, you can change it once under Public Variables instead of changing each action of each provisioning template.
11) Core Server Activation
a) Start - All Programs (or Programs) - LANDesk - Core Server Activation
b) Click the "Proxy" tab.
c) Clear all the text boxes, then un-check the "Require Login" and then "Use Proxy Server" (Note that un-checking the "Use Proxy Server" first will result in the credentials still being cached).
12) Software Distribution Packages
a) Tools - Distribution - Distribution Packages
b) For each package, go to Properties - Accounts. By default Local System is the account used, but it is possible to cache credentials here. Remove or replace any outdated cached credentials.
13) Patch and Compliance
a) Tools - Security- Patch and Compliance
b) Click the "Download updates" button. If a Proxy is used, ensure the credentials listed are correct. Go to Patch Location. If your patch folder has been moved from the default location there may be cached credentials here as well.
14) Core server settings on Mobility Management
a) Tools - Mobility - Mobile device management
b) Verify any credentials on the LDMS Core Server part of the settings
15) Inventory Settings
a) Tools - Configuration - Agent Settings - All agent settings - Inventory settings - Click on the settings - Software Usage Monitoring
b) Verify any credentials here.
16) Disable Data Analytics
a) If data analytics is enabled, disabling may be a viable troubleshooting step to eliminate a cause