VMware Workspace ONE Community
msweisberg
Enthusiast
Enthusiast

Anyone see the KB article that was posted in early May related to: API calls blocked if Basic Admin account authentication

Look at this article: https://support.air-watch.com/articles/360003873834 Seems starting with console 9.3+, if you are using an AW basic account for API calls in any tie-in component (i.e. SEG V2, ACC, VIDM, Content Gateway), when the basic password expires, it will now start blocking api calls.


This is a big change and a huge headache. Their solution...use an AD account with a non-expiring password.

Labels (1)
25 Replies
LukeDC
Expert
Expert

Be better if they just add a non-expiring option in the basic account.
Reply
0 Kudos
msweisberg
Enthusiast
Enthusiast

That would make too much sense.
Reply
0 Kudos
Boe_K
Enthusiast
Enthusiast

We just ran into this as we were not using any service accounts at the time when this came out so I kinda ignored it until recently when we integrated our VPN into the system and used AW enrolled and a requirement before it would connect. So this got me curious Luke and Michael do you guys use domain accounts for your admin logins to the console or just basic accounts? Right now all our admin accounts are local accounts to the console but this got me wondering if we would be better off using our AD accounts instead? Any thoughts, pro's or con's you could think of since you both seem very knowledgeable on all things AW.
Reply
0 Kudos
msweisberg
Enthusiast
Enthusiast

We made the decision the swap out any basic admin account being used for api functionality in favor of an AD service account.  Since we use SEGs we did not want to run into an issue were apis stop working and mobile email died in the middle of the night on a weekend.
Reply
0 Kudos
Boe_K
Enthusiast
Enthusiast

Michael that is what we are doing as well for the Service accounts I was asking more about like your admin account when you login to the console? Are you still using basic accounts for those or are those AD accounts as well. Professional services initially set us up with just basic local admin accounts rather then tieing in our AD accounts as the admin account so wondering if is the preferred way of doing things or not.
Reply
0 Kudos
LukeDC
Expert
Expert

For console accounts I would always use Directory based over Basic. Security is better and controls are in the directory hands, not yours. Basic accounts would seemingly be more vulnerable IMO. Of course your always going to want a secret backdoor Basic account for the times when your directory connection might fail etc.
Reply
0 Kudos
msweisberg
Enthusiast
Enthusiast

We only use AD accounts for all console functions.  That way, if someone leaves the company, they lose access to it as soon as their AD account is deactivated and we dont have to go into the console and remove their account.  However, should the VESC ever fail, we do keep a basic admin handy.
Reply
0 Kudos
RyanWampler
Enthusiast
Enthusiast

What is the expiration time for basic account password and can it be changed?
Reply
0 Kudos
SebastienRodrig
Contributor
Contributor

Quick update on this, in our SaaS environment, it appears that version 1810 introduced a bug with the Cisco ISE API integration : Directory Accounts can no longer access the Cisco ISE specific URIs ( /ciscoise/mdminfo and others ), only basic accounts can... And these expire after 30 days..
Reply
0 Kudos
chengtmskcc
Expert
Expert

Hey Sebastien, I know this is an old thread. Has your issue been resolved and what type of account did you end up going with?
Reply
0 Kudos
SebastienRodrig
Contributor
Contributor

Hello,
This is an ongoing case that has been escalated to engineering, for now we're using a basic account and reset its password every 29 days.
Reply
0 Kudos
MatthewSwenson
Hot Shot
Hot Shot

Sebastien, I have the same problem.  We tried setting up certificate based auth, and that has not worked yet.  Been a real pain.
Reply
0 Kudos
chengtmskcc
Expert
Expert

Update from VMware support on support for directory account in relation to Cisco ISE integration:

Thank you for your last email as it helped us narrow down the issue. Directory Accounts are currently not supported for CISCO ISE integration and it will not go through.
I found an existing product request which is already in place to get this feature supported.
Here is the PR number in case you wanted further information and wanted to follow up on the status of this feature : PR-199316
Reply
0 Kudos
chengtmskcc
Expert
Expert

Sebastien, I received confirmation from support that they can make a global change to disable password expiration on all basic accounts for dedicated SaaS. Not sure the steps required for on-premises setup.

A bit of a security risk IMHO.
Reply
0 Kudos
SebastienRodrig
Contributor
Contributor

Hello,

The ticket has been updated, the bug (although unlisted in the notes) is resolved in Workspace One UEM 1902.
Reply
0 Kudos
chengtmskcc
Expert
Expert

Thanks, Sebastien. I have not read the release note of 1902 just yet. Are you saying the Cisco ISE bug is resolved in 1902 so that directory account can be used instead of basic account?
Reply
0 Kudos
SebastienRodrig
Contributor
Contributor

yep
Reply
0 Kudos
chengtmskcc
Expert
Expert

We may go straight from 9.4 to 1902 by end of June, but I'm certain our Cisco ISE integration can't wait that long! Until then, we will stick with basic account and temporarily disable credential expiration.
Reply
0 Kudos
SteveMorganStev
Contributor
Contributor

Hi all. Just ran into an issue with this. I have set up all new SEG servers for Exchange 2016 and on one of them the SEG service kept stopping. Turns out the SEG API Admin password had expired again. After resetting it and re-running the setup to update it it's all good again.

1. How come this stopped the service after it had already been installed? I thought the initial API call was only during install and was not used after?
2. Are people still using local accounts or have you all switched to AD ones?
Reply
0 Kudos