Installing BigFix With Remote Database and Windows Auth

We’ve recently rebuilt a new environment that we’ll be moving over to in the coming months and are installing BigFix to support the environment.

Our current setup is having three different servers: server with BigFix, a relay server, and a SQL Server.

Setup has been relatively easy so far, but we’re running into an issue with choosing a Remote Database and using Windows Authentication to communicate between the BigFix server and the SQL server.

My steps were as follows. All of which are being ran as a domain admin.

SQL Server Setup:
-Set up SQL Server 2016 on server 3.
-Create AD account specifically to use for communication between BigFix and SQL servers.
-Verified this account has the same permissions, settings, etc as the SA account and is present in the SQL Server Management Studio
-Verified instances are running in the SQL Configuration Manager
-Verified Computer Browser service is also running

BigFix Server Setup:
-Ran through the initial BigFix setup on server 1.
-Set the license, received the license file and began actual installation of BigFix
-Start running through the installshield wizard for BigFix
-Choose Single or Master Database and then Use Remote Database
-For the Database Server, I put in the full name of server 3 (it won’t let me Browse to it)
-Choose Windows Authentication
-Start up the Computer Browser service

Now this is where it’s getting stuck.

(changed the account to domain\AD_user for security reasons for this pic)

Server not found. Verify that the specified server exists. The server name can not be empty.

Now, I know this domain server can be reached from the machine because I logged in with a few different domain accounts so far.

I checked what ports are open and such, and the standard ones are all set and open. The only thing I saw with tcping was that I couldn’t tcping server3 1433 (default sql port), but that might just be a firewall issue that I can deal with after this.

Nothing appears to be blocked on the software or hardware firewalls as far as I can tell.

I saw one other person had this issue on the forums, but there didn’t seem to be a resolution in the comments. I haven’t found too much out there with this setup where people have had issues. It seems like most people either do local database, or if they do a remote database, they use the SQL Authentication.

Any help would be great. Thanks!

I wouldn’t expect it to work until you get port 1433 open.

I’d try installing MS SQL Managment Studio on the BES Server and make sure that it can connect to the server. That would provide easier troubleshooting than relying on the BES install wizard to troubleshoot SQL connectivity.

We opened port 1433 but still weren’t able to get windows authentication to work. Due to the nature of this environment, this server is on a different subnet than the domain controller, so we suspect there might be some flukey with that and firewalls.

At any rate, we decided to just create a similar SA account so that we don’t have to rely on enabling the Computer Browser service. This has allowed me to continue on installation. Not a full solution to my original problem, but a good work around at least.

@uitouw - I suspect the root service could be switched to this logon as this account now and you would be able to use your domain account.

https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_using_nt_authentication_with_d.html

-Jgo

@jgo and @JasonWalker

i have implemented bigfix and ilmt using remote database and used windows authentication method. It worked fine but now i need to change the database user with service account user. Will the change in bigfix and ilmt services to logon as service account will change the database user as well or there is any need to make changes in server.xml or databse.yaml file separately?

You will be required to update the MSSQL DB config in the database.yaml for BFI/ILMT and the 64bit ODBC connection for the BFEnterprise & BESReporting databases on your root BES server.

Hello,

Below is the content of database.yaml file

production:
host: dbservername
database: temadb
database_type: mssql
windows_authenticated: true

On IBM site, it says “install_dir/wlp/usr/servers/server1/config/database.yml
Copy the new encrypted password to the encrypted_password parameter.” but i do not see this parameter.

Could you please guide.

The database.yml files on my BigFix Inventory instance is located under {DISK}:\BigFix Enterprise\BES Inventory\wlp\usr\servers\server1\config and looks like:

production:
host: HostNameHere
database: DBNameHere
username: Username
database_type: mssql
windows_authenticated: false
encrypted_password: “{aes}EncryptedValueHere”

The reason you’re not seeing the encrypted_password option is because windows_authentication is set to TRUE.

Yes exactly. So it means password needs to change only in case of SQL authentication ?

I am currently using windows authentication but the user through which my bigfix services and DB access using, we need to change that with service account but it will remain windows authentication.

i have already added that service account in sql management so will that work by changing services logon as ?

Yes, I believe you’re correct that updating the service config with the new/updated service account details should result in the desired change.

Thanks. Will let you know how it goes

Apart from changing the user information in services, the permissions in the SQL server for the databases may also need to be changed (such as database owner, files ownership etc).

Review them in the SQL Server Management Studio first and then update them