Hello fellow admins,
I have been running into some odd behaviors with my new environment using Windows Authentication.
In order to login to the Clients using a SQL Worker AD account we needed to configure the 3-tier connection that uses the Cherwell IIS Application pool - CherwellAppServer. All the Cherwell IIS Application Pools then have the SQL Worker Account set as the Identity.
Some of the odd stuff i have seen so far is scanning a blueprint will complete, but never pop up the prompt at the end letting you know there was no errors. It does come up sometimes, but not all the time.
Other odd stuff includes when i am in a blueprint and clicking on some of the managers from the menu (ie One-Step Manager) i can click on it and nothing happens. Log out of the client and back in, then it works.
Some of these odd things make it seem like a 3-tier connection issue. Just not sure if its that or a deeper setting that others have ran into .
Looking for help. Let me know.
Although not completely related, we did have an issue upon deploying 9.5.3 where we had all the various services running under a single user/service account, and what was happening was that the accounts (i.e. services) would "log off" at random as other services would startup/restart, all due to the single account. This was causing very similar issues to what you are experiencing. We then created a separate user account for each service and the anomalies we experienced went away. This has since changed as we are on 9.6.1 and all services are running under a single service host with one account.
All IIS app pools can share the same account identity, so you should not have an issue there. You may wish to look at the accounts associated to the various Cherwell services in your Service Manager and try breaking them apart if they all share a single account.
If i understand i would need to create a AD Account for each Windows Service:
Automation Process - Cherwell-AP Account
Email & Event Monitoring - Cherwell-Email Account
Scheduling - Cherwell-Schedule Account
Cherwell - Cherwell-DB Account (Also used for App Pools)Or do you mean a service account with in Cherwell like CSDAdmin?
I can see how going to 9.6+ with them all using the micro service would solve that.
Thanks for the reply.
Have you seen any strange issue like publishing errors due to this?
I recall us having an AD account and corresponding Cherwell account for each service, as it was setup by a Professional Services Consultant. So, Yes, an account for each. I experienced error messages in the Admin client, for example, when I would be editing a form and make a modification to it like slide the width or add a text label. An error popup would display itself with lengthy error codes. Logging out and back in would resolve the issue.
I never did receive any publishing errors, however reflecting on this now, there were many cases where I would publish a blueprint and only partial pieces of it would make it through. I recall restarting the services and even the server itself, just in case it was a server-side caching issue, but that did not make the missing content reappear. What I had to do was re-publish a second time and all changes would make it through. This all went away around the time we separated the service accounts I think...makes one wonder.
Thank you for your suggestion, i felt alone on this island of AD Auth. I will run this by our security team. We are hoping before the end of the year to upgrade to 9.6.2 to fix our portal issues, so then i can get rid of the extra ones at that time.
The publish error sounds just like the Blueprint scan issues i was having. So i will update the accounts and see if i get better results. I can post here with them when i get it setup . Thanks again.
One more question i have on the accounts, Do you remember what level of security you gave them.Database Login or Admin Login. Database Login Account Credentials for Server Connection
The Database Login account must have rights to insert, update, and delete rows within tables.
Administrative Login Options for Server Connection
This account must have rights to create, drop, and alter tables, as well as insert, update, and delete rows within tables.
Link to Doc: