On BigFix Platform for Windows I can configure a SPN for the AD computer object if BigFix services run as system or add an SPN to the AD user if services run as a service account.
This enables Kerberos and and single sign on.
More importantly, it would reduce the # of service accounts I maintain by at least 2 and eliminate the issue I have where if someone puts in a wrong user/password to login, it locks my service account 
Something like this:
setspn -U -S iem/SERVERNAME DOMAIN\ServiceAccount
setspn -U -S iem/SERVERNAME.domain.com DOMAIN\ServiceAccount
So my questionā¦ Inventory or Compliance, is it possible to do something similar?
I put in a ticket with support, and they say noā¦ Search and AI (Copilot/Claude) is also not sureā¦. But since the AD config in Inventory/Compliance offers anonymous binding, I have to believe it may be possible. My current theory is to use āhttpā as the service ClassName instead of āiemā for the SPN. So thought I would ask here if any BigFixer may know.
I donāt have domain admin rights to test at work so a bit hard to test without a decent amount of effort.
I'm not sure what the user's failed logins have to do with locking your service account? That might lock their own user account but should not effect your service?
I do not think the Compliance or Inventory interfaces support Kerberos authentication; if there's a single sign-in ability I think that's going to come from SAML configuration and your Identity Provider's features.
I experience the locking with our ILMT instance, so I assume Inventory will face the same issue. I ended up creating a dedicated AD account just for user auth, so if it does get locked, it doesnāt mess with our app services. That service account locks out when a user has ~3 bad attempts.
As for Kerberos auth, this is likely the case but I did want to explore that a bit to really confirm. Longterm we will move to SAML but that will be a project in itself to tackle (mainly due to BES with REST API, etc).
@DerrickD, coincidently enough, I just raised the need to set-up end-to-end management functionality to make it easy to change certificates and accounts, and I am working with someone on HCL side to document all those ideas.
That said, specifically about accounts - there are three types:
- Accounts used to run services - I raised the question if gMSA are supported (donāt think there is a reason why they shouldnāt be but obviously donāt want to just to put them in and find out later something is unsupported and causing issues).
- Accounts within Identity Providers/Directory configuration (I mean some may be unlocked but ours certainly arenāt) - irrespective of what you use for authentication, role-based access with AD is still going to be required, so there is no getting away from it. I enquired whether there are APIs for it - I can see potentially available in Platform, although documentation is not very clear, but as far as I can see nothing on BFI/Compliance sideā¦
- Accounts within Data Sources - as far as I can see, there is no APIs for any of those (MultiCloud, Insights, WebUI, etc)
I am hoping that at least the first group we can get rid of with gMSAs but for the two later we will need to wait for APIs and those should at least allow folks to automate rotation but a long-way from fully integrated tool with monitoring, alerts and even potentially safe integrations!
Good stuff.
I have some scripts for BES and some for ILMT that Iāll be updating soon for Inventory and Compliance to update username/passwords for services and configurations. I do plan to use GMSA where I can, but need to do some testing and navigate internal process to get those. I too for now am just going straight AD service accounts.
As for accounts with Data Sources, I have some of those automated. For example, we have over 20 vcenters in Cloud Plugin, but the only way HCL offers to do changes is through manual webUI. So I automated that by pulling data through Client Query, then processing, and submitting actions to make those changesā¦ includes secret parameters as well to mask the password. I need to do the same now for WebUI itself as well now as itās the one item I know is missing.
Donāt get me started on monitoring
1 Like
Yea, sound you are a lot further than where we are but it is a major headache cause Security are on the case and constantly trying to increase the frequency to rotate passwords & certificates, and it is getting ridiculous to be doing manually!