hi First time user on BigFix but we have it implemented in our environment. Currently our Server team is looking at changing the service account password which connects BigFix server to other servers, so my question is, will this affect end point users? Do we need to change this password somewhere in BigFix server as well? What does the end users admin account is used to communicate with a deployment? Sorry for all questions, but my company does not have anyone who knows bigFix and i am in the learning process since I took over the server.
Passwords are not involved in client communication to the relays or root servers. That’s all certificate-based authentication where relay authentication is turned on.
Where we could have passwords involved are where the BigFix Server Services are configured to “Log On As” as user account instead of the default LocalSystem account. That’s usually the case if you are set up using a remote SQL server and are using “Windows Integrated Authentication” to SQL. If you change the account’s password, you’ll need to update it in Windows Services applet as well and then restart the services.
If WebUI also uses the service account to connect to SQL, use the “Update WebUI Database Credentials” task in the BES Support site to update WebUI’s credentials too.
You might also be using a service account to authenticate LDAP users. In the BigFix Console, check the “Directory Servers” node and update the credential/password there if necessary.
Another place passwords can be involved are in the “Data Source” configurations of Inventory and Compliance, if you have those. Check each of those web apps, in the Data Source settings there are credentials for talking to the BigFix and Web Reports databases, as well as an Operator Account for talking to the BigFix Platform itself. Depending on what password you are changing, you may need to update the Data Source pages as well. Also check the Directory Servers page to see what credential you’re using to connect to LDAP servers.
Short version, is to be sure you know the local operator passwords for BigFix, Web Reports, Inventory, Compliance, so if you miss a password change you can still log in to fix them.
Thanks for the quick reply! So to understand this correctly, and please excuse me if I sound a little off-track because i have not used bigFix before and it is a learning curve for me. When the server admins change the Service Account password associated to the bigfix server, we will need to check the the SQL database authentication settings and update the service account password? Sorry i just wanted to know so that we don’t have any issues doing fixlet and deployments of software applications.
Before you change the account’s password, figure out where it’s being used. Do you have Inventory? Compliance?
On the Root Server, check the Services applet to see if the account is being used for any of the BigFix Server services. If the account is used in the “Log On As” field here, you’ll need to open up each service and update the password when it changes:
Unfortunately, WebUI encrypts both the username and password used to connect to the BFEnterprise database. If you don’t know what account it is using, then after the password changes restart the WebUI service and see whether it works. If it doesn’t startup correctly / cannot connect to the database, you can infer that it was also using this account and you need to update the WebUI database connection via the Task from the BES Support Site:
If you don’t know all the WebUI connection details, port number, etc. you can read that from the db_config.json file on the WebUI server - but the username and password are encrypted:
If you have Inventory and Compliance, there are a couple of places you may need to check/change the account. One is for their own database connections, the other is for their datasource connections to the BigFix Server/Database:
Inventory’s Database connection:
Thanks for the reply Jason, I’ve checked all the services running in the server, and every “log on as” has local System account. Under LDAP directories the Authentication is set too “Connect Anonymously”
So it looks like there really isn’t a service account associated to the deployment of fixlets?
We actually don’t have inventory but I might need to check compliance. From my understanding the Service Account was created to deploy tasks and fixlets to servers, sort of a local admin account for servers (on the network).
is there anywhere in BigFix server that stores a local admin account username and password? i’m trying to see if there is anyway we can identify a credential stored somewhere that has a service account associated to it.
