Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 8549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Specified Credentials Are Invalid during Protect Computer Wizard (Ent Console)

jrh
Hi all. New Sophos Enterprise installation. The software has successfully been installed and the user accounts created per the documentation. At this point I'm in the policy testing phase: Started the Protect Computer Wizard and it works fine up to the point where it asks for credentials to use to install the software. At this point when I attempt to enter ad\sophosupdatemgr & it's password, I receive the error: The specified credentials are invalid. -SophosUpdateMgr exists as a AD & local account. Password has been verified -I can login to the server using the SophosUpdateMgr account -I can get past the screen by using my personal credentials (I'm part of the administrators group) -If I use another AD account that is not part of the administrators group I can move forward -SophosUpdateMgr has read permissions to the share drive as well At this point I can't find out WHAT I missed to give SophosUpdateMgr the correct permissions. Is there a group I need to add somewhere? I'm sure this is something simple that I'm just overlooking, but I'd really appreciate any help folks can give me. Thanks Jon
:40213


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    In a SEC install there are 2 "service" accounts as detailed here:

    http://www.sophos.com/en-us/support/knowledgebase/113954.aspx

    One is for the services of the management server and database access ,e.g. SophosManagement.

    The other is for the clients to update from the SophosUpdate share.  This one is for example: SophosUpdateMgr.

    SophosUpdateMgr is added to the default updating policy so that when the clients get the policy they can read from the share.

    Both of the above accounts aren't required to be administrative.

    Then there are the accounts you use SEC as. When you run the protet wizard, this is essentially for creating remote scheduled tasks on the clients you are deploying to.  This account requires to be able to logon to the Sophos Management Server and also to be an administrator on the target clients.  For this reason, typically you would use an account that is a domain admin, as when you add computers to a domain, the domain administrators group is added to the local administrators group on the client.

    So in a domain, the deployment account would typically be in the format [domain]\[account], where the account is a member of the domain admins group or an account which has administrative rights on the target client.  

    Regards,

    Jak

    :40215
Reply
  • 0

    Hi,

    In a SEC install there are 2 "service" accounts as detailed here:

    http://www.sophos.com/en-us/support/knowledgebase/113954.aspx

    One is for the services of the management server and database access ,e.g. SophosManagement.

    The other is for the clients to update from the SophosUpdate share.  This one is for example: SophosUpdateMgr.

    SophosUpdateMgr is added to the default updating policy so that when the clients get the policy they can read from the share.

    Both of the above accounts aren't required to be administrative.

    Then there are the accounts you use SEC as. When you run the protet wizard, this is essentially for creating remote scheduled tasks on the clients you are deploying to.  This account requires to be able to logon to the Sophos Management Server and also to be an administrator on the target clients.  For this reason, typically you would use an account that is a domain admin, as when you add computers to a domain, the domain administrators group is added to the local administrators group on the client.

    So in a domain, the deployment account would typically be in the format [domain]\[account], where the account is a member of the domain admins group or an account which has administrative rights on the target client.  

    Regards,

    Jak

    :40215
Children
No Data