AppSense AM OnDemand authentication problem (Policy Change Request)

What’s the Policy Change Request feature?

On a recent project we decided to use the recent Application Manager feature: Policy Change Request. This feature allows for temporary elevated (admin) rights on a specific executable or process. It’s useful if you want users to be able to temporary perform elevated actions without granting them full local admin privileges: e.g. adjusting the time, installing a specific application….

This feature consists of two components:

  • A client interface which allows the user to request temporary elevated permissions for a specific process.

application-manager-policy-change-request-300x248

  • A web portal for your helpdesk (Installed on your AppSense server) to allow these requests. This portal is reachable on http://<ServerName>/OnDemand . This portal has 2 roles: as an operator, you’ll only see the first tab “Config Request”. Administrators also see the “Administration” tab. In this tab you configure access to this portal and your shared key, which needs to correspond with the key you set in your AM configuration.

application-manager-policy-change-request_helpdeskportal-1-300x191

Problem logging on to the console

At the customer where we evaluated this feature, we were unable to logon to the OnDemand portal. At first logon you need to use the same account you performed the installed (of the AppSense Application Manager Web Services) with. I got this logon prompt every time again:

windows_security-300x252

When I had a look at the configuration file (located at: “C:\Program Files\AppSense\Application Manager\Analysis Service\AMAnalysisServiceCore.dll.config”) and changed the “ON_DEMAND_AUTHENTICATION_TYPE” to Windows instead of Basic, I was able to logon.

am-analysis-microsoft-300x95

The following topic on AppSense Exchange seems to address the same issue: https://forum.appsense-exchange.com/forums/showthread.php?172-Help-Desk-Portal-with-AM-8-8-Issue

High availability for the OnDemand portal

The two configurations made in the OnDemand Administation section (the Shared key & Role Access) are saved in a local sqlite file:

“C:\ProgramData\AppSense\Application Manager\Analysis Service\On Demand\HelpdeskDatabase.sqlite”

At this moment there’s no supported way to copy this file to another server, for instance if you want to load-balance the OnDemand portal. If you want to copy the file you first need to force ownership & remove the Deny permission for “everyone”. After having replaced the file on a second server, the “AppSense Application Manager Web Services” was unable to start.

You could of course, repeat the configuration manually on all other portals. Depending on your environment, this might be sufficient.

A Feature Request has been created at AppSense support to research this.

 

2016-12-11T18:05:33+00:00 June 20th, 2016|
SecureLink

SecureLink

X