Tool: OpsMgr 2007 R2 – What to do with Secure Reference Override Alert?


Subject of this post is an advanced authoring combining usage of the security features of OpsMgr 2007 with workflows while trying to explain how to troubleshoot alerts which may be raised at the end of such process. On the simple example, I display tool I developed to help resolving ambiguous or unclear obstacles which may surface with this scenario.


 


I’m not going to discuss why, let’s just say I have a need to create my own Run As profile. This profile is then be populated with custom Run As account I created as well. These steps need to be done manually.


·         Open OpsMgr console


·         Navigate to “Administration”, then “Run As Configuration”


·         Please create “Windows Credentials” account (do not distribute to any computer)


RunAs account


·         Please create new profile and associate with previously created account.




RunAs profiles


account in profile 


Just to note that this post doesn’t aim to explain the internals of association between profile and account nor account distribution details, there are (or will be) official guides available for that exact reason.


Let’s also assume simple rule which generates alert when event 123 is raised in Application log by EventCreate. When created profile is used with this rule while run as account was not distributed to computer where target instance is monitored, event 1108 is raised during configuration load and workflow for this profile is not loaded until issue is corrected.


·         Open OpsMgr authoring console


·         Create NT event based rule and use this profile with Event data source module.


Because we are using unsealed MP, this rule must be created in same file as initially created profile.



Profile in module 



event 1108 


This event 1108 is picked by OpsMgr MP and alert is raised to notify that distribution was not set when Run As account was associated with Run As profile


Dialogs and wizards were re-designed in this milestone to notify about the need to distribute during the creation!


Unfortunately, this new alert may at cases contain somewhat cryptic information increasing TCO of its investigation. If alert is closed without investigating the root cause, it will appear again either after 24 hours from its original creation or when health service restarted.



console task integration 


To simplify investigation of affected Run As profile (where querying a DB would be a necessity), I created SDK tool and associated with the product as “console task”. Upon its execution, tool retrieves all alerts related to Run As Profile and provides user friendly information about affected Run As profile (as long as it was present in the DB).


 


Another alert that such tool is able to help investigate is based on event 1107 and can be simulated by importing attached MP.


 


DISCLAIMER:


Please evaluate in your test environment first! As expected, this solution is provided AS-IS, with no warranties and confers no rights. Use is subject to the terms specified at Microsoft. Future versions of this tool may be created based on time and requests.


 


x86 installation package


x64 installation package

Microsoft.SystemCenter.Runtime.RunAs.xml

Comments (3)

  1. bakinnan says:

    I am unable to install the tool on an Windows Server 2008 SP2 x64 box.

    Here is part of the verbose log that the program spit out:

    MSI (c) (90:50) [08:52:45:105]: Note: 1: 1708

    MSI (c) (90:50) [08:52:45:105]: Note: 1: 2262 2: Error 3: -2147287038

    MSI (c) (90:50) [08:52:45:105]: Note: 1: 2262 2: Error 3: -2147287038

    MSI (c) (90:50) [08:52:45:105]: Product: System Center Operations Manager 2007 Secure Reference Helper Tool — Installation failed.

    MSI (c) (90:50) [08:52:45:105]: Windows Installer installed the product. Product Name: System Center Operations Manager 2007 Secure Reference Helper Tool. Product Version: 6.0.7043. Product Language: 1033. Installation success or error status: 1603.

    MSI (c) (90:50) [08:52:45:105]: Grabbed execution mutex.

    MSI (c) (90:50) [08:52:45:105]: Cleaning up uninstalled install packages, if any exist

    MSI (c) (90:50) [08:52:45:121]: MainEngineThread is returning 1603

  2. MSutara says:

    You need to be OpsMgr admin when installing. I think I also compiled with .NET 3.5, so you may need to have that as well.