SoftTree Technologies SoftTree Technologies
Technical Support Forums
RegisterSearchFAQMemberlistUsergroupsLog in
Remote Access Confusion

 
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite View previous topic
View next topic
Remote Access Confusion
Author Message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Remote Access Confusion Reply with quote
Hi,

I have installed the scheduler on a Windows server, and am trying to get the web-based console working. Running this on the server, I get the login screen but whatever credentials I use I get 'Connection refused: connect' error message. I have not even managed to get to the login screen when trying to connect from a different computer.

I am hoping someone can answer the following for me?

- When using the Web Console, is the user name authenticating against the local machine, or AD on the domain, or somewhere else?
- Does the 'Remote control port' specified in Tools - Options - Network relate to the port in the Web Console URL, or is this different?
- The documentation refers to a tools - security menu in the main app, but I cannot see this - is this just due to the documentation being out of date?

Thanks in advance!
Richard
Tue Nov 13, 2012 11:51 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
Hi,

Have you enabled the remote control option in the scheduler. If not, the scheduler is not listening for remote for connections and so the web console is unable to connect to it. If you need to enable it, go to Tools/Options menu, Network tab, check Enable Remote control option.
Tue Nov 13, 2012 7:02 pm View user's profile Send private message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Reply with quote
Hi,

Yes, I have enabled that - can you confirm what the port number in this option relates to, though?

Thanks,
Richard
Wed Nov 14, 2012 3:55 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
Yes, it should be set to 1097 unless that port is already used by some other application.
Wed Nov 14, 2012 12:24 pm View user's profile Send private message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Reply with quote
Hi,

The port number here is set to 1097, but that is different to the default in the Web Console, which defaults to 8088 - should they be the same, or is the Remote Access port for running a remote agent?

Also, regarding my earlier question about the users - obviously the users for the Web Console need to map to theose defined in the Users screen of the main scheduler. However, this just defines their groups - where are the users actually set up? Should they be local users on the server running the scheduler, or can they be network users?

Finally, when running the Web Console from a different PC, what will the URL be? Is is just the server name, or does it need to speficy more of a path?

Thanks,
Richard
Wed Nov 14, 2012 12:34 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
Please don't confuse the port number used by the scheduler for accepting remote connections and the port number used by your web server to server HTTPS traffic. The first one is used by the scheduler's API, which the web console and other components use to talk to the scheduler remotely.

Regarding your previous question. You don't need to define users in the scheduler or in the web console, they rely on the operation system users the user auhenticated is integrated with the underlaying operation system so that you can manage all sorts of users in one place only (Active Directory). In the scheduler you simply map users to scheduler specific groups, which for the web console means the same as user roles. Based on the group/role mapping, the web console provides different access level to different users.

The web console can be installed on any machine on the network, it doesn't have to be the same machine as the scheduler. As with any web server, in a web browser users enter web-server's URL, such as for example https://machine-name:8088 https://machine-ip:8088 or could be any other name that maps to the same TCP/IP addresss of the web server
Wed Nov 14, 2012 1:55 pm View user's profile Send private message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Reply with quote
Hi,

Thanks for confirming re. the port numbers - I thought that was probably the case, but it wasn't entirely clear from the docs. I have also now at least got the login screen running the web console from another PC on the network, although it still can't sign in.

Looking at the Scheduler logs, I can see that a connection is being made when I try to sign in from the web console, but I am still getting the 'Connection Denied'. I have mapped the user in question to the 'Administrators' group in the scheduler, which I would have expected to be enough - is there another step I am missing?

I notice that the web console user guide mentions being able to turn on/off network connectivity features for a specific group (p7), but there doesn't seem anywhere to do this in the application - is this just due to the user guide being out of date, or is there an option somewhere I am not seeing?

Also, is there any news on when the updated user guides will be ready?

Thanks,
Richard
Thu Nov 15, 2012 5:22 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
Hi Richard,

Are you entering user name in machine\user or domain\user format? That's how you need to enter it in both places - Users and on the login screen.
Thu Nov 15, 2012 8:54 am View user's profile Send private message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Reply with quote
Hi,

Yes, it is in domain\user format both in the login screen and in the Users screen. As mentioned, it is appearing in the log, showing message 'User LON\GIB0219 connected from 10.132.32.26'...

Is there any way to check what permissions the assigned group has, or is this fixed?

Thanks,
Richard
Thu Nov 15, 2012 9:01 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
Hi,

There are no separate group permissions. Here what is going on behind the scenes.
1. You login to the scheduler, the web console is just a remote front-end (a client).
2. Every group/user has permissions to connect to the scheduler as long as (a) user has been explicitly added to the one of the groups and (2) the operation system allows that users to connect to the machine (this is controlled via Computer Management/Security/Local Security policy for local users or Active Directory for domain users)
3. During user authentication phase the scheduler talks to the Operation System, and asks it to validate user credentials. If accepted and the user is in one of the groups, the scheduler initiates new user session
4. What users can do within the session / web console depends on your group membership.


As you indicated it appears that the web console is able to communicate with the scheduler, but then user's authentication fails. There could be 2 reasons for that, the user/password are invalid or the scheduler is unable to validate user authentication because the account running the scheduler process lacks sufficient privileges for such operations. You can verify the latest using one of the command line tools. Login to the machine as the user who is running the scheduler. Open command prompt, and do CD C:\24x7 (or wherever you have the scheduler installed). From there, execute
userchk LON\GIB0219 [password here]

Check the output message.
Thu Nov 15, 2012 10:01 am View user's profile Send private message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Reply with quote
Hi,

Many thanks for that info - explains a lot more about what is going on! I got a failure with the account I was using, but then using an account with full admin rights on the server I have successfully logged in to the web console.

So, 2 questions remain:
- What rights do users need to the server in order to log in via the web console? Our security guys will obviously not let normal users have server admin rights in a prod environment...
- Given that for the successful user I did not set up anything in the user/group list, is there something that needs to be switched on to give no/guest access by default?

Thanks,
Richard
Thu Nov 15, 2012 11:01 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
- In order to login, users need to be given 'login as a batch job' privilege for the scheduler's system
- there is no 'guest' access. There are 4 logical groups of users and their associated roles in the web console
1. Administrators - they can do manage scheduler's settings, manage and run any job available
2. Power Users - they can manage and run only jobs that bear their user name in the Run As properties. they can also access job and queue monitors, but cannot pause of terminate non-owned jobs
3. Users - for the web console they are like system operations, they cannot manage/change jobs, but they can access job and queue monitors, pause and resume jobs, access job logs, run and disable/enable any job
4. Everybody else, who are not explicitly listed in the Users file - they cannot login via the web console, and yet jobs can be setup to run under their user accounts.

Hope this helps.
Thu Nov 15, 2012 11:28 am View user's profile Send private message
RichardDavis



Joined: 13 Nov 2012
Posts: 17
Country: United Kingdom

Post Reply with quote
Lovely - many thanks for all your help!
Fri Nov 16, 2012 6:44 am View user's profile Send private message
Display posts from previous:    
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite All times are GMT - 4 Hours
Page 1 of 1

 
Jump to: 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 

 

Powered by phpBB © 2001, 2005 phpBB Group
Design by Freestyle XL / Flowers Online.