VMware Workspace ONE Community
msweisberg
Enthusiast
Enthusiast
‎05-15-2018 09:24 AM

Anyone see the KB article that was posted in early May related to: API calls blocked if Basic Admin account authentication

Look at this article: https://support.air-watch.com/articles/360003873834 Seems starting with console 9.3+, if you are using an AW basic account for API calls in any tie-in component (i.e. SEG V2, ACC, VIDM, Content Gateway), when the basic password expires, it will now start blocking api calls.


This is a big change and a huge headache. Their solution...use an AD account with a non-expiring password.

Labels (1)
Labels
25 Replies
RichB2u2
Hot Shot
Hot Shot
‎04-25-2019 08:19 AM

1. See this article:  https://support.workspaceone.com/articles/360003873834
2. We are using AD accounts for most logins.
We have an API admin local account that integrates with our wireless controllers and the password expired unexpectedly. The information stopped syncing which caused our system to start flagging all devices as BYOD causing issues. After updating the password I also made sure my email address was entered for the local account so I would receive notifications that the password was going to expire. I would also rather have the local admin account never expire their password too. We are now on 1902 and there is no setting for admin password expiration that I can find. Our network guys really don't like adding generic accounts to AD but we will need to do this if that local admin password keeps expiring!

0 Kudos
chengtmskcc
Expert
Expert
‎04-25-2019 10:22 AM

FYI. AirWatch can help extend the expiration for local accounts at the global level to 9999 days.
0 Kudos
SteveMorganStev
Contributor
Contributor
‎04-26-2019 12:02 AM

Rich B - 1. Thanks but it states ' updated credentials will only need to be used when upgrading or reinstalling the SEG. After the setup procedure, SEG uses Certificate/CMS for authentication and, therefore, basic credentials are only required to establish initial communication'  - which means it should not be using it after it's been installed so does not explain why the service conked out.
2. Thanks for the info. I'm a bit reluctant myself to start adding AD accounts for SEG and Tunnel which completely rely on the link between AD and AirWatch. I have to restart our ACC services quite regulary.

Thomas C - Interesting. Is that Admin at Global level only? Our SEG API ones are a couple of levels down from that.
0 Kudos
chengtmskcc
Expert
Expert
‎04-26-2019 06:05 AM

Steve,

I mean the change to extend password expiration applies to all local accounts. Does that help?

And any update from support on your issue? It sounds quite concerning.

Tom



0 Kudos
SteveMorganStev
Contributor
Contributor
‎04-26-2019 07:24 AM

Thanks Tom I've made that change now.
0 Kudos
HimanshuMishra
Enthusiast
Enthusiast
‎09-28-2020 12:24 PM

SO, which one is recommended

1. System account with a restricted REST API role, so that password change is synced automatically.

2. Basic account with a password reset policy.

Looking for pros and cons of each to understand this.

Thanks!

0 Kudos