3 Replies Latest reply on Feb 27, 2013 12:32 PM by Lawrence Garvin

    Default Credential Rings always used


      I'm new to PM and I have read through the documentation.  We are currently in the process of setting up PM for ourselves and our customers.  In our environment we have many different domains to manage WSUS servers for.  With this said I am trying to utilize credential rings to manage credentials for each domain we manage.  I'm running accross a problem that appears that no matter what I do to assign a credential ring to a management group, when accessing resources in that management group, PM always wants to use the default credential ring to access those resources.  If I add all the credential of the many domains we manage in the default credential ring and assign the resources appropriately inside that credential ring, I'm able to access the resources succesfully.  However once I create a new credential ring, and configure appropriately for the domain that I want to use that ring on, it seems to never use it when accessing those resources in that management group.  In the Scope Management section I'm able to select various resources from different domains and clearly see that they are assigned the credential ring that I created for that management group.  Is there something else I'm missing?  I feel like I've missed something in the documentation and/or have completely mis-understood the purpose of credential rings.  I'd prefer to keep them more seperate that throwing all my credentials into one default ring.


      Any suggestions on resolving my problem would be greatly appreciated.





        • Re: Default Credential Rings always used
          Lawrence Garvin

          Credential Rings are not assigned to a Management Group, but rather to a User Profile (e.g. a console user). When Patch Manager is installed there is one User Profile created, the "Default User". That profile is assigned the <Default> Credential Ring. In the absence of any additional user profiles, ALL console users will be assigned to the "Default User" profile, and thus be assigned the <Default> Credential Ring.


          In effect, a Credential Ring is designed to identify which resources that a given console user is authorized to access/manage, by virtue of possessing a credential with permissions to that resource.


          If the console user is a member of the Enterprise Administators security role, then they can change their assigned Credential Ring in their own User Profile at will. In this way you can define multiple credential rings, one for each domain, and the console user can select the necessary Credential Ring to use while working within that domain.


          Otherwise, the conventional practice would be the one you have already observed as successful -- a single Credential Ring is populated with all of the needed credentials for the several domains and systems. Patch Manager will match the appropriate credential to be used based on the target's membership in domains/workgroups/orgUnits or hostname (where a Computer rule is used).

            • Re: Default Credential Rings always used

              While I understand your answer, the documetation leads me to believe differently.  However that's just my opinion.  It's also misleading that when you view scopes in the console, it shows specific credential rings associated with resources for that domain and resources managed by a particular managment group, yet since I only have one user profile(default) it never uses them when running tasks against those resources.  This would lead me to believe that when any tasks are being run on resources covered by that scope it will use the credential ring associated with it.  But this isn't true unless you are signing in as a user who has that credential ring associated with it.


              Thanks for the response, it definately helped me to understand this feature more.

                • Re: Default Credential Rings always used
                  Lawrence Garvin

                  We're very interested in your opinions and how the documentation has impacted your understanding. If we need to improve the documentation, we definitely want to do so.


                  As for viewing "Scopes" in the console, if you could post an image (or email me a screenshot) of what you're looking at, that would help. I'm not aware of any place in the console where Credential Rings are associated with Management Groups, because there is, in fact, no association between the two at all.


                  Credentials are associated with Resources, because it's the membership in a resource (i.e. domain, workgroup, orgUnit) that is used to identify which credential (among a collection of credentials in a Credential Ring) are to be used to authenticate with any given target system. Since you only have one User Profile (the "Default User"), then you, de facto, only have one Credential Ring that will ever be active at any given time -- whatever Credential Ring is currently assigned to that "Default User" profile (which is the <Default> Credential Ring at installation).


                  Let's take a walk through the logic flow. A user logs onto a console session. If that user has a defined User Profile for their logon, then they'll be managed by the configuration of that User Profile; otherwise, the user's console session is managed by the "Default User" profile. A Credential Ring is assigned to a User Profile; ergo, only one Credential Ring can be active for any given console user at any time -- whichever Credential Ring is assigned in the effective User Profile for that console user. The Credential Ring contains one or more Credentials, which are used to allow that console user to impersonate the identity of an authorized administrative user. Credentials are mapped to one or more Resource rule (Domain, Workgroup, OrgUnit, Computer, WSUS Server). When a connection is initiated to a target system, the application processes the collection of resources rules in the active Credential Ring to determine which Credential to use to authenticate the WMI connection to that system. Resource rules are matched from most specific to least, in general one of these pathways:

                  • Computer -> OrgUnit -> Domain -> Default
                  • Computer -> Workgroup -> Default
                  • WSUS Server -> Default

                  When a rule is matched, that credential is used to authenticate with the target system.