Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Server and Reporter Services Report "Invalid Username or Password" After Restart

App Control: Server and Reporter Services Report "Invalid Username or Password" After Restart

Environment

  • App Control Server: All Supported Versions
  • Windows Server: All Supported Versions

Symptoms

  • App Control Server works after install, but quits after a restart. 
  • App Control Server & Reporter services are unable to start, referencing a "Access Denied" or "Invalid Username or Password"
  • DefaultAppPool in IIS will stop every time you try to visit the site. 
  • Local Security Policy after reboot doesn't show the Carbon Black Service Account listed. 

Cause

For the Service Account to run both IIS and the Server & Reporter services, it needs to be part of two Local Security Policies:
  • Log on as Batch Job
  • Log on as Service
If your GPO has anything configured for these, it will overwrite any local setting, preventing the Service Account from properly running IIS and the required services.

Resolution

Two main options exist. Either updating the Group Policy Object to include the user you need to push. Or turn off the pushing of this item in your Group Policy Object. 

Update GPO:
  1. If you need these settings to be controlled by GPO, then you should add the user account used by the service to be pushed. 
  2. Open your domain controller and edit the Group Policy Object that's pushing the two items, Log on as Batch Job and Log on as Service. 
  3. Navigate to these items under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
  4. Hit the Add User or Group button and add the service account. Note that only a domain account can be added, local users cannot be added. 
  5. If the service account you're using is local only, a domain account would need to be created. 

Turn off this GPO Setting:
  1. If the Log on as Service and Log on as Batch Job are being pushed by GPO, but you don't actually need this, they can be disabled. 
  2. Edit the GPO policy that's pushing these settings. 
  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
  4. Edit the Log on as Service, and Log on as Batch Job and uncheck the "Define these policy settings" checkbox. 
  5. On the Cb Protection Server open the Local Security Policy under Administrative Tools
  6. Manually add the user account to those Log on rolls under Local Policies > User Rights Assignment 

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-15-2018
Views:
421
Contributors