Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
2
Replies

Passive ID credentials

Go to solution
bwongtho
Cisco Employee
Cisco Employee

‎02-28-2018 01:51 AM

I had three recent questions from the customers server administrations.  The question was on the account to setup the passive-ID agent provider in ISE 2.3. 

First question, does the agent provider really need to be a Domain admin? If not what rights does it need.

Second question, we have other services using WMI, today without domain admin rights.  Why does the ISE passive id WMI provider need to be a domain admin account. 

And lastly, third question,  if the ISE agent provider is installed by using domain admin account XYZ, Can the account be changed after the agent is installed to domain account ABC?  So, that the ISE admin doesn’t know the password or the account ABC.  My assumption on question three is that if changed it will break the passive ID agent communication with ISE.

Looking forward to hearing your thoughts.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎03-01-2018 04:26 AM

- The script for configuring WMI in AD was built based on admin rights only , that said it can be done but is cumbersome as you would need to modify DCOM, Registry, and Permissions settings.

Here is a CDA guide explaining the changes needed if you wish to use domain users for example.

Installation and Configuration Guide for Context Directory Agent, Release 1.0 - Installing and Configuring Context Direc…

- Once agent is installed admin has no more meaning , the agent though is monitoring DCs so if the user changes on the DCs you will need to update the DCs

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎03-01-2018 04:26 AM

- The script for configuring WMI in AD was built based on admin rights only , that said it can be done but is cumbersome as you would need to modify DCOM, Registry, and Permissions settings.

Here is a CDA guide explaining the changes needed if you wish to use domain users for example.

Installation and Configuration Guide for Context Directory Agent, Release 1.0 - Installing and Configuring Context Direc…

- Once agent is installed admin has no more meaning , the agent though is monitoring DCs so if the user changes on the DCs you will need to update the DCs

0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎03-01-2018 07:10 AM

To add to Danny's response, the account does not need to be a domain admin.  For all the details, please see the admin guide and look in the monitor and troubleshooting section for all the changes that need to be made to active directory for PassiveID to work.

Regards,

-Tim

0 Helpful
Customers Also Viewed These Support Documents