How to resolve "authentication failed" error administering a TIBCO Streaming node
Article ID: KB0072169
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.x and later |
Description
How can I use 'epadmin' commands with a Streaming node installed by a different user?
For commands like this (example):
epadmin servicename=A.X display engine
I get error:
For commands like this (example):
epadmin servicename=A.X display engine
I get error:
[A.X] Failed to open a connection to the node PROD_SVR:8537. Reason: Authentication of user [me] failed: authentication failedThe Streaming node is running on this system so this system is in the node's default Trusted Hosts. I am a local administrator on this system.
Issue/Introduction
Default Security considerations and using runas.exe to become the node administrator/
Environment
Microsoft Windows
Resolution
This problem is often seen when the Streaming node has been installed by a different user. The default node administrator is the user who installed it. Other users will not have admin rights unless the node's security configurations are customized to extend the "AdminRunCommand" privilege to them.
When a node is started as a Windows service it is installed by the Windows SYSTEM user, which no one can impersonate. To resolve this specific problem, change the service in the Services control panel, Properties dialog, "Log On" tab, "Log on as:", "This account:" and specify the user account name and password which you would like to use as the node administrator account.
When the node is installed by another non-SYSTEM user, then to run 'epadmin' commands, log in as that other user either directly, or use the Windows "runas.exe" command to open a StreamBase Command Prompt as that other user.
The command to open a StreamBase Command Prompt is (example for Streaming 10.6):
C:\Windows\System32\cmd.exe /k "C:\tibco\sb-cep\10.6\setenv.bat"
(For Streaming 11.0 the path has changed to: "C:\tibco\str\11.0\setenv.bat".)
To open the StreamBase Command Prompt as a different user with "runas", use as so (example):
runas /user:"AD-Domain\tibcouser" "C:\Windows\System32\cmd.exe /k ""C:\TIBCO\sb-cep\10.6\setenv.bat"""
(For a local account, replace "AD-Domain\tibcouser" with ".\tibcouser". Your account may be different than "tibcouser".)
Windows requires nested double-quotes to be doubled, not escaped.
Once the StreamBase Command Prompt is open, it will show in the title-bar:
epadmin servicename=A.X display engine
In the above example, we used username "tibcouser". In general we advise that Streaming nodes which are intended to persist, such as Windows Services, to be run using a utility account and not a normal user account. This allows you to isolate runtime environment settings for the node from those specific to an employee account.
The related product documentation sections are:
When a node is started as a Windows service it is installed by the Windows SYSTEM user, which no one can impersonate. To resolve this specific problem, change the service in the Services control panel, Properties dialog, "Log On" tab, "Log on as:", "This account:" and specify the user account name and password which you would like to use as the node administrator account.
When the node is installed by another non-SYSTEM user, then to run 'epadmin' commands, log in as that other user either directly, or use the Windows "runas.exe" command to open a StreamBase Command Prompt as that other user.
The command to open a StreamBase Command Prompt is (example for Streaming 10.6):
C:\Windows\System32\cmd.exe /k "C:\tibco\sb-cep\10.6\setenv.bat"
(For Streaming 11.0 the path has changed to: "C:\tibco\str\11.0\setenv.bat".)
To open the StreamBase Command Prompt as a different user with "runas", use as so (example):
runas /user:"AD-Domain\tibcouser" "C:\Windows\System32\cmd.exe /k ""C:\TIBCO\sb-cep\10.6\setenv.bat"""
(For a local account, replace "AD-Domain\tibcouser" with ".\tibcouser". Your account may be different than "tibcouser".)
Windows requires nested double-quotes to be doubled, not escaped.
Once the StreamBase Command Prompt is open, it will show in the title-bar:
C:\Windows\System32\cmd.exe /k "C:\tibco\sb-cep\10.6\setenv.bat" (running as AD-Domain\tibcouser)You may then run the 'epadmin' commands without providing additional credentials, as desired:
epadmin servicename=A.X display engine
In the above example, we used username "tibcouser". In general we advise that Streaming nodes which are intended to persist, such as Windows Services, to be run using a utility account and not a normal user account. This allows you to isolate runtime environment settings for the node from those specific to an employee account.
The related product documentation sections are:
- TIBCO Streaming > StreamBase Admin Guide > StreamBase Security Model > Default Security Configuration
- TIBCO Streaming > StreamBase Admin Guide > StreamBase Security Model > Role to Privilege Authorization
Feedback
Yes
No
Powered by
