Updating cached credentials (notification)
Subscribers contain a cached credential of the service account. This credential needs to be updated whenever the password is changed on a Windows server or workstation.
The act of updating the cached credentials of subscribers is called a subscriber notification. This is performed by using the "Update cached credentials" (updateresource) operation with the Windows NT connector. The operation can be triggered whenever a privileged password is randomized. This includes:
Expired passwords reset by the scheduler
Manually randomized passwords
Overridden passwords
Passwords that are checked in
The PAMSA SUBSCRIBER NOTIFICATION plugin determines which discovered services, scheduled tasks, DCOM objects, COM+ applications, iis objects, and ODBC DSNs will be updated when passwords are randomized or during a password change orchestration.
Requirements
IIS objects
Managed systems must have the same iis settings as the Bravura Security Fabric server. In order to manage iis the appropriate iis version or management tools must be installed.
COM+ Applications
In order to list and update COM+ applications, one of the following must be met:
The Bravura Security Fabric server is a domain member, or,
A proxy server is installed on a domain member system.
and
The psadmin user on the proxy server or the psadmin user on the instance server is a domain user and is also a member of the local administrators group for each targeted system, or,
The Run as? setting for the target system credentials is enabled for a domain user who is also a member of the local administrators group for each targeted system.
Remote COM+ access needs to be enabled. In order to do this, COM+ Network Access needs to be installed:
In Windows Server versions 2012 and earlier, this requires the Application Server role. This can be configured from the Windows Server Manager.
In Windows Server 2016, the Application Server role does not exist. Update the registry subkey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3" to change the RemoteAccessEnabled DWORD value to 1 .
For more information see the Microsoft support article at:
Scheduled task objects
On Windows operating systems that support both Scheduled Task Interface versions 1.0 and 2.0 any version 1.0 task objects must be in the root folder of the Task Scheduler Library to be discovered.