cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 11

NCM 7 User authentication mode requires credential change in server tool?

Hi

imagine you have to use user- instead of device authentication for devices in NCM,

e.g. because your company policy does only allow you to store passwords in Windows AD database and not in any other DBs.

I did some tests to achieve this requirement:

1. change device connectivity method to use user and device login credentials

2. change the login information for all devices from "Device" to "User"

3. in Orion Core, added a new user "test"

4. logged in to NCM application with "test" credentials

5. test login credentials for a device - telnet sniffer capture in background

---> What I see, NCM still uses the device login information defined under global macro settings...

6. Then I used "File" > "Change My Device Login Credentials" and again entered the credentials already used in Orion Core user creation.

---> Now finally NCM uses the user credentials instead of the device credentials.

So, is there really no way to use ONLY Orion Core credentials for NCM user authentication ?

As a conclusion if above is true, there is currently no way to use AD users from Orion Core in NCM without adding the AD password into the NCM database ?

(I assume the "Change My Device Login Credentials" writes the user credentials into the NCM database...)

Thanks in advance for any comments...

Herwig

Tags (3)
0 Kudos
8 Replies
MVP
MVP

We're trying to find a suitable resolution to the same problem. We want to be able to provide access to the device based on user credentials rather than a global administrative account (which would be required for config changes). Is there any way to link the user credential to an Orion/AD account without getting each individual user to log into NCM tool on the server and type their details in the "Change my device login credentials"?

Hi,

reply from our dev team:

NCM cannot automatically leverage AD credentials in order to login on device.  Each device require to enter password during login. AD security does not allow any application to automatically extract password AD. That is why user-level device login credentials needs to be entered manually by users and stored in NCM database.

Right now these credentials can be entered only from Win32 application, but we have plans to move them on web. However, this will be still something which needs to be manually entered by user.

Regards,

Jiri

Thanks Jiri. The AD security explains why it is not possible to link an AD account to the user credentials. The plan to have user credentials added to an Orion account via the website is welcome news.

Cheers

0 Kudos

I understand and that's a valuable argument- thank you.

The consequential question is how are passwords encrypted in the database...

I found no references in thwack or documentation, so I opened a case in the meantime.

Maybe you know this?

Regards,

Herwig

0 Kudos

Don't know off the top of my head.

Could you please post the result of the case? I think it would be redundant if I ask the same people the same thing...

Regards,

Jiri

0 Kudos

Now finally the case outcome - as stated above I asked how are passwords encrypted in NCM database.

Passwords for authentication against devices are stored either in following cases:

1. "File" > "Change My Device Login Credentials" if you use User Mode device authentication

2. Credentials entered under Settings > Global Macro Settings > Login Information

Therefore, it will store those in the NCM database as part of the nodes table using DES Algorythm with a 56 bit key encryption.

Cheers

Thanks, Herwig.

Jiri

0 Kudos

Sure, not problem - I am working on it and post results here...

Cheers

0 Kudos