imagine you have to use user- instead of device authentication for devices in NCM,
e.g. because your company policy does only allow you to store passwords in Windows AD database and not in any other DBs.
I did some tests to achieve this requirement:
1. change device connectivity method to use user and device login credentials
2. change the login information for all devices from "Device" to "User"
3. in Orion Core, added a new user "test"
4. logged in to NCM application with "test" credentials
5. test login credentials for a device - telnet sniffer capture in background
---> What I see, NCM still uses the device login information defined under global macro settings...
6. Then I used "File" > "Change My Device Login Credentials" and again entered the credentials already used in Orion Core user creation.
---> Now finally NCM uses the user credentials instead of the device credentials.
So, is there really no way to use ONLY Orion Core credentials for NCM user authentication ?
As a conclusion if above is true, there is currently no way to use AD users from Orion Core in NCM without adding the AD password into the NCM database ?
(I assume the "Change My Device Login Credentials" writes the user credentials into the NCM database...)
Thanks in advance for any comments...
We're trying to find a suitable resolution to the same problem. We want to be able to provide access to the device based on user credentials rather than a global administrative account (which would be required for config changes). Is there any way to link the user credential to an Orion/AD account without getting each individual user to log into NCM tool on the server and type their details in the "Change my device login credentials"?
reply from our dev team:
NCM cannot automatically leverage AD credentials in order to login on device. Each device require to enter password during login. AD security does not allow any application to automatically extract password AD. That is why user-level device login credentials needs to be entered manually by users and stored in NCM database.
Right now these credentials can be entered only from Win32 application, but we have plans to move them on web. However, this will be still something which needs to be manually entered by user.
Thanks Jiri. The AD security explains why it is not possible to link an AD account to the user credentials. The plan to have user credentials added to an Orion account via the website is welcome news.
I understand and that's a valuable argument- thank you.
The consequential question is how are passwords encrypted in the database...
I found no references in thwack or documentation, so I opened a case in the meantime.
Maybe you know this?
Don't know off the top of my head.
Could you please post the result of the case? I think it would be redundant if I ask the same people the same thing...
Now finally the case outcome - as stated above I asked how are passwords encrypted in NCM database.
Passwords for authentication against devices are stored either in following cases:
1. "File" > "Change My Device Login Credentials" if you use User Mode device authentication
2. Credentials entered under Settings > Global Macro Settings > Login Information
Therefore, it will store those in the NCM database as part of the nodes table using DES Algorythm with a 56 bit key encryption.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.