Credentials when monitoring a remote windows service

Oct 24, 2012 at 4:52 AM

Hi Guys,

Just wondering if you can submit credentials to monitor remote services in a domain or workgroup environment?

 

Cheers,

Pete

Coordinator
Oct 24, 2012 at 10:42 AM

Hi Pete,

Unfortunately, this is not possible with the current build of ServiceMon but we could consider adding this in the future.

To learn about your requirements, and try and understand how this might work, would you want to be able to specify separate credentials for each operation, like this?

// hypothetical example to illustrate how credentials could be specified in ServiceMon in the future

windows-service-status "MyService", "remotemachineA" using-credentials "domainA\userA", "passwordA" must-equal "Running"

windows-service-status "MyService", "remotemachineB" using-credentials "domainB\userB", "passwordB" must-equal "Running"

Another option, which should work although I understand it may not be feasible in your situation, is to configure a trust relationship between the domain where ServiceMon runs and the domains you're monitoring. We use ServiceMon in this way to monitor services on our own domain and also on a remote network governed by a different domain controller. We have a trust relationship between the two and this allows us to monitor the service status of remote machines as if they were on the local domain.

Thanks
Stu
Oct 24, 2012 at 12:04 PM
Edited Oct 25, 2012 at 12:33 PM

Hi Stu,

Thanks for the prompt reply and the examples you have provided would work perfectly.

We have a number of edge servers not in any domain that would need individual service account creds set so in our case the trust wouldn't apply.

Great application. A really elegant solution.

Cheers,

Pete
 

 

Coordinator
Oct 24, 2012 at 2:30 PM

Thanks a lot for your feedback. I've now added workitem 1255 so you can track the progress of this issue. If I have time, I'll have a go at producing a prototype of this functionality this week. Would you be willing to test the prototype once it's ready?

Thanks

Stu

Oct 24, 2012 at 9:58 PM
Edited Oct 25, 2012 at 12:33 PM

Would be happy to test it for you

Cheers,

Pete

Coordinator
Oct 25, 2012 at 8:47 AM
Edited Oct 25, 2012 at 8:48 AM

Hi Pete,

I'm added a proof-of-concept of impersonation support to build 1.2.0.54

If you wouldn't mind, could you please install this version and let me know what you think.

The impersonation support is specific to an individual operation in the script as we discussed, and impersonation is optional, so your existing scripts should work without needing any changes.

This is how it is used:

windows-service-status "Spooler", "server1" as "domain\user", "password" must-equal "Running"

If you don't want to use impersonation, you can omit the credentials and the currently logged in Windows user is used as previously:

windows-service-status "Spooler", "server1" must-equal "Running"

I haven't settled on the name of the keyword used to specify impersonation. I'm currently using the word as but I'm considering changing this to runas or using. The word must be short, so it's quick to type, and should read almost like English. It needs to be a word unlikely to be used as an operation name. Which word makes most sense to you?

Please let me know if you find any issues you encounter or have any suggestions for improvement.

Thank you

Stu

Oct 25, 2012 at 11:20 AM
Edited Oct 25, 2012 at 12:34 PM

Hi Stu,

I'll test out the new build asap and get back to you.

Cheers,

Pete

Oct 26, 2012 at 6:14 AM

Hi Stu,

I've tested the update and it allowed me to query some services for example spooler etc however other services such as exchange services gave the following error

2012-10-26 08:01:05.431 Cannot open Service Control Manager on computer '[IP ADDRESS]'. This operation might require other privileges. Queries the status of the 'MSExchangeTransport' service on [IP ADDRESS] and expect equal to 'Running' (running as [DOMAIN\USERNAME])

Just to confirm - I could successfully query the spooler service on one server yet couldn't query an exchange service on that same server.

 

I didn't have a great deal of time to troubleshoot but i'll have more of a look and post some further results

 

Cheers,

 

Pete

Oct 26, 2012 at 6:16 AM

Also in regards to the keyword preceeding credentials I think "runas" would be the correct choice as in my experience it seems to be the industry standard for command line utilities (at least in microsofts product lines)

 

Cheers, 

Pete

Coordinator
Oct 29, 2012 at 10:08 AM
Pete,
Thank you for trying that out for me. I'll troubleshoot this tomorrow, when i'm back in the office, by querying the MSExchangeTransport service on the Exchange server at work. It sounds like the user account doesn't have the necessary privileges or perhaps an aspect of impersonation is failing. Either way, I'll let you know what I discover.
Thanks also for giving me feedback on the impersonation keyword. I'll change the name to "Runas"

Cheers,
Stu

On 26 Oct 2012, at 06:14, petebran <notifications@codeplex.com> wrote:

From: petebran

Hi Stu,

I've tested the update and it allowed me to query some services for example spooler etc however other services such as exchange services gave the following error

2012-10-26 08:01:05.431 Cannot open Service Control Manager on computer '[IP ADDRESS]'. This operation might require other privileges. Queries the status of the 'MSExchangeTransport' service on [IP ADDRESS] and expect equal to 'Running' (running as [DOMAIN\USERNAME])

Just to confirm - I could successfully query the spooler service on one server yet couldn't query an exchange service on that same server.

I didn't have a great deal of time to troubleshoot but i'll have more of a look and post some further results

Cheers,

Pete

Coordinator
Nov 15, 2012 at 10:56 PM
Hi Pete,
Sorry for the delay getting back to you.
I've fixed an error in the impersonation code and I've got a new build for you to try:

I've also changed the keyword from "as" to "runas" as we discussed so please update your script first. Please let me know how you get on

Thanks
Stu

On 26 Oct 2012, at 06:16, petebran <notifications@codeplex.com> wrote:

From: petebran

Also in regards to the keyword preceeding credentials I think "runas" would be the correct choice as in my experience it seems to be the industry standard for command line utilities (at least in microsofts product lines)

Cheers,

Pete

Nov 15, 2012 at 11:48 PM

Hi Stu,

That works a treat.  Although one thing I had to do was run the application as administrator from my laptop in order for it to work.  Awesome little app

If you could get this to output to a HTML file (ajax possibly for updates) you'd have a killer little monitoring tool.

Could you point me to the draw function of the windows form within the code and I could take a look at it spitting out a HTML file every execution cycle.  Can probably place some javascript in the file to auto refresh the browser with the latest file as it is overwritten.

 

Cheers,

Pete

Coordinator
Nov 17, 2012 at 1:27 PM
Hi Pete,

Thanks for trying that out for me and I'm really pleased it's working for you.
Adding HTML output is a great idea. I hadn't considered creating a static file on each execution cycle but I can see the advantages of doing it this way - minimal overhead on the ServiceMon server and no need to host ServiceMon within a web server.

You can add the HTML update code as an extension. Take a look at the ScheduledSummaryEmailer class in the Model project, which implements the #email-summary directive. The class implements the IServiceMonExtension interface and its OnScheduledTimeTick method is called by the monitor process every minute, which is probably often enough.
Once you've created your extension class, you'll just need to add it to the list in the Monitor InitialiseExtensions method so it gets used by the application.

Thanks again for the feedback and please keep me updated with how you get on.

Stu




On 15 November 2012 23:48, petebran <notifications@codeplex.com> wrote:

From: petebran

Hi Stu,

That works a treat. Although one thing I had to do was run the application as administrator from my laptop in order for it to work. Awesome little app

If you could get this to output to a HTML file (ajax possibly for updates) you'd have a killer little monitoring tool.

Could you point me to the draw function of the windows form within the code and I could take a look at it spitting out a HTML file every execution cycle. Can probably place some javascript in the file to auto refresh the browser with the latest file as it is overwritten.

Cheers,

Pete

Read the full discussion online.

To add a post to this discussion, reply to this email (servicemon@discussions.codeplex.com)

To start a new discussion for this project, email servicemon@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com