Monday, August 13, 2012

OM12 Agent Push Installation Fails While Running The Discovery: The <SDK Account> does not have sufficient permission to perform the operation.

Issue
Bumped into this strange issue at a customers location. While trying to push several OM12 Agents to some Windows Servers, an error message was thrown stating the SDK account didn’t have sufficient permissions.

This puzzled me since everything was in place and configured accordingly. The OM12 service accounts had the proper permissions as well.

None the less, the Discovery kept on failing with the same message, stating the SDK account not having sufficient permissions: The <SDK Account> does not have sufficient permission to perform the operation.

Cause
In order for Discoveries to run properly the SDK Account (aka Data Access Account) requires admin permissions in OM itself. By default the Group BUILTIN\Administrators is added to the User Role Operations Manager Administrators:
image

When this Group is removed and replaced by an AD Global Group containing all the accounts which are allowed Admin access to OM12, the OM12 Service Accounts need to be part of that Global Group as well.
image

image

In this particular case this was done as well, so THEORETICALLY all was well. And yet, it didn’t work as intended. Somehow OM12 didn’t enumerate this Global Group properly…

Solution
A reboot of an OM12 Management Server is too drastic. But a restart of the OM12 related services (SDK/Data Access & Configuration Service) will make OM12 to enumerate this Global Group in a proper manner.
image

After restarting these two OM12 services, the Discovery just run fine without any error now.

Advice
Whenever your Discoveries run wild showing the above mentioned error related to the SDK Account and you’re sure this account has been given the proper permissions, restart the OM SDK and Configuration services and you’ll be just fine.

2 comments:

Heinrich Pelser said...

Thanks bud,

Thom Turner said...

Perfect! Trying to be too cleaver with security!