Changing IIS Passwords on Inventory Beacons

FlexNet Manager Suite 2019 R2 (On-Premises Edition)

When you use Microsoft IIS as the web server on an inventory beacon, you may choose Basic Authentication. Doing so requires a special process to avoid losing 'orphaned' managed devices if you need to change the password for the authorized account.

(You can avoid everything in this topic by allowing anonymous access to inventory beacons, which also allows such beacons to be used as fail-over locations by managed devices that lose contact with their usual beacon. However, where security requires you to use Basic Authentication, this topic applies.)

The account name and password used by managed devices for Basic Authentication when accessing IIS on the inventory beacon is stored on each managed device at the time it is adopted (and the inventory agent is installed). If you subsequently change the password on the account without careful planning, those devices using the old password are orphaned and cannot upload inventory data.

To avoid creating orphans, you can do any of the following:
  • Set the password on the access account to never expire (common practice for service accounts)
  • Make sure that only the upload location (ManageSoftRL) is secured with Basic Authentication, and that the download location (ManageSoftDL) always uses anonymous authentication. This requires manual adjustment to the settings for IIS, as described in Configuring Inventory Collection
  • Manage password changes with a pair of overlapping accounts.
The last approach works like this.
  1. Assume that the inventory beacon has supplied its managed devices with an Username:Password pair of FirstAccount:OrigPwd. Under corporate policy, the time to change OrigPwd approaches.
  2. Five days before OrigPwd expires, ensure that another account SecondAccount:LongtermPwd exists in Windows (either in Active Directory or as a local account on the inventory beacon server), and that it has access rights to Microsoft IIS. Be sure that LongtermPwd does not require changing on the same date that OrigPwd expires! This should be a password that can stay current throughout this cycle, until the following time for password updates comes around.
  3. Still five days before OrigPwd expires, register SecondAccount:LongtermPwd in the inventory beacon interface, on the Local Web Server tab.
    Tip: The period of five days allows sufficient time for the download of the new account details to all managed devices. Each device switches to the new account name and password as soon as the information is downloaded. If you have road warriors with notebooks under management by an inventory beacon using Basic Authentication, make sure you extend this period for long enough for all travelling devices to phone home. Similarly, is anyone on annual leave with a desktop computer turned off? Leave both systems running for the month, or however long it takes.
  4. If you have multiple inventory beacons, repeat this process on each of them, registering a second account with a long-term password. (It can be the same second account if that suits your security infrastructure. The beacons do not impose any requirement for distinct accounts.)
  5. After the overlap period, the OrigPwd expires, or you can disable that password on the inventory beacon(s) if you wish. Managed devices happily continue running with SecondAccount:LongtermPwd.
  6. When the next cycle of password renewal comes around, repeat this process. You can, if you wish, switch back to FirstAccount with a new long-term password that can last through the overlap period and on until the following cycle of password renewal.

By flip-flopping between (at least) two accounts with a sufficient period of overlap, managed devices are able to switch between accounts in the overlap, and no devices are orphaned.

Tip: For other changes, you may not need separate servers for the overlapping period. For example, switching the protocol for installed inventory agents to use when contacting the inventory beacon from HTTP to HTTPS can also orphan the managed devices, just as a change of password can. However, for a protocol switch, you can enable both HTTP and HTTPS on the same IIS server, and keep both operating until all targeted managed devices (and any child inventory beacons) have updated their settings and switched over.