Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 8547 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Specified Credentials Are Invalid during Protect Computer Wizard (Ent Console)

jrh
Hi all. New Sophos Enterprise installation. The software has successfully been installed and the user accounts created per the documentation. At this point I'm in the policy testing phase: Started the Protect Computer Wizard and it works fine up to the point where it asks for credentials to use to install the software. At this point when I attempt to enter ad\sophosupdatemgr & it's password, I receive the error: The specified credentials are invalid. -SophosUpdateMgr exists as a AD & local account. Password has been verified -I can login to the server using the SophosUpdateMgr account -I can get past the screen by using my personal credentials (I'm part of the administrators group) -If I use another AD account that is not part of the administrators group I can move forward -SophosUpdateMgr has read permissions to the share drive as well At this point I can't find out WHAT I missed to give SophosUpdateMgr the correct permissions. Is there a group I need to add somewhere? I'm sure this is something simple that I'm just overlooking, but I'd really appreciate any help folks can give me. Thanks Jon
:40213


This thread was automatically locked due to age.
  • 0

    Hi,

    In a SEC install there are 2 "service" accounts as detailed here:

    http://www.sophos.com/en-us/support/knowledgebase/113954.aspx

    One is for the services of the management server and database access ,e.g. SophosManagement.

    The other is for the clients to update from the SophosUpdate share.  This one is for example: SophosUpdateMgr.

    SophosUpdateMgr is added to the default updating policy so that when the clients get the policy they can read from the share.

    Both of the above accounts aren't required to be administrative.

    Then there are the accounts you use SEC as. When you run the protet wizard, this is essentially for creating remote scheduled tasks on the clients you are deploying to.  This account requires to be able to logon to the Sophos Management Server and also to be an administrator on the target clients.  For this reason, typically you would use an account that is a domain admin, as when you add computers to a domain, the domain administrators group is added to the local administrators group on the client.

    So in a domain, the deployment account would typically be in the format [domain]\[account], where the account is a member of the domain admins group or an account which has administrative rights on the target client.  

    Regards,

    Jak

    :40215
  • 0
    Thanks for the response. I'm still a bit confused, I think. In the Protect Wizard dialouge, the username/password is NOT for the SophosUpdateMgr account? It should be for an account that has administrative rights to the client/desktop computer (ie, DesktopTech or something)?
    :40217
  • 0

    That's correct, the SophosUpdateMgr account should really only have enough rights to read from the SophosUpdate share to allow the clients to update. The clients use this account in their policy to update, that is all.    

    The account you push installs to the clients needs full admin rights on the target computers and the ability to log on to the management server in order for the Sophos Management Service to impersonate the account to deploy.

    Regards,

    Jak

    :40219