Enabling Agents to Connect Locally on Windows
When a WMI agent connects to the same machine it is running on (that is, localhost) using credentials that explicitly specify a user other than the currently logged on user, you must make certain registry changes to allow the required COM services to run.
Releasing a Locked MySQL Process
The Agent Manager uses the wmiprvse.exe process to make use of WMI for remote Windows
® monitoring. However, in some situations, this process can lock the MySQL process,
mysqld.exe, preventing it from being uninstalled, deleted, moved, or updated.
Generating a Configuration File Required for WinRM Negotiate Authentication
WinRM connections using the default Negotiate authentication require a copy of the krb5.config file. On Windows
®, the Agent Manager attempts to auto-generate this file and places it under
<fglam_home>f/state/default/config/krb5.config. Under some circumstances, the Agent Manager is unable to auto-generate the file on Windows, in which case the file needs to be created. On UNIX
® systems, the file is never auto-generated and must always be provided.
If the file needs to be created, the format of the krb5.config file for the WinRM Negotiate authentication is as follows:
<dns_suffix_upper_case> = {
kdc = <DNS_Server_for_dns_suffix_upper_case>
.<dns_suffix_lower_case> = <
dns_suffix_upper_case>
The values dns_suffix_upper_case,
dns_suffix_lower_case, and
DNS_Server_for_dns_suffix_upper_case must be replaced with their actual values.
The [domain_realm] section in the file maps the domain of the host being connected to, to a
realm.
The [realm] section provides the relevant
kdc (key distribution center) server with a specific realm to use for kerberos authentication. This is generally the DNS server for the relevant domain.
The default_realm value in the
libdefaults section is the
realm mapping to use when the domain of the host cannot be matched to a
realm.
For example, for connecting to hosts on the sample.domain.com domain with the
dnsserver.sample.domain.com DNS Server, the contents of the
krb5.config file should be as follows:
When connecting to a host1.sample.domain.com, the
host1’s domain is mapped to the
SAMPLE.DOMAIN.COM realm, which maps to the
DNSSERVER.SAMPLE.DOMAIN.COM kdc to use for kerberos authentication.
After creating the krb5.config file is created the absolute path to the generated krb5.config file should be provided in the
<config:krb5-config-file> tag value of the
<fglam_home>/state/default/config/fglam-config.xml file, so that it can be accessed by the Agent Manager. Any changes to the
fglam-config.xml file require the Agent Manager to be restarted in order for those changes to take effect. Therefore, if the Agent Manager is running while you are making these changes, you must restart it.
Configuring Windows Remote Management (WinRM)
The Agent Manager supports Basic and
Negotiate WinRM authentication schemes with Windows credentials. The negotiate authentication scheme is enabled by default in WinRM and is the recommended way to authenticate in most environments.
The Basic authentication scheme requires local Administrator accounts; you cannot use domain accounts. For more information, see Promoting remote users to administrators on local machines through the Domain Controller. Basic authentication is insecure because it transmits user names and passwords in an easily decoded string, and therefore it should not be used on an untrusted network. If basic authentication is required, and security is a concern, configure the target system to accept only HTTPS traffic. For more information, see
Manually configuring WinRM HTTPS access.
