Audit Credentials window

Introduced in 8.4

In this window, you can edit existing credentials or define new credentials for auditing computers, Chromebooks and network devices using the Direct Network Scan.

Icon - displays the credentials type that may be one of the following:

- used to audit Windows computers. The account that you define must be a member of the local Administrators group on each Windows client machine (either directly or through the membership in a Windows domain group).

We recommend that you use a domain administrator's account. You can also specify a local account as long as this account exists on every computer you want audited.

- used to audit Linux and Mac client machines. This credentials must allow logging on to these computers. We recommend that you provide credentials for an account with root rights, i.e. the root account or the account that can run the dmidecode command with administrative rights. Otherwise, Alloy Discovery will not be able to collect SMBIOS hardware informational on Linux computers. Collecting the list of services (daemons) on Mac computers also requires root rights. If you need this information, you should also use the root account or configure the launchctl command to run with elevated (root) privileges under a non-root account.

- used to audit ESXi/vSphere and Citrix hypervisors. This credentials must allow logging on to these computers. We recommend that you use an account with administrative privilege. For Citrix hypervisors, audit credentials must allow logging to the computers using the SSH protocol.

- used to collect audit data on Google Chromebooks. These credentials must allow access to the inventory information about Chromebooks enrolled in the domain.

- used to collect inventory data about networked printers, scanners, hubs, routers, and other devices. Alloy Discovery detects and identifies those network devices via SNMP.

Depending on the credentials type, the following fields are shown below:

  • ClosedFor Windows credentials:

    • Under Version v1/v2c, specify the following information for community-based SNMPv1 or SNMPv2c:

    Community - specify the SNMP community.

    NOTE: Most SNMP v1 and v2c devices are shipped with the community string set to "public". It is standard practice for system administrators to change the community strings so that unauthorized users cannot access information about the internal network.

    • Under Version v3, specify the following information for user-based SNMPv3:

    User Name - specify the SNMP user name.

    Security Level - specify the SNMP security level:

      • No Authentication, No Privacy - uses a user name for authentication and transmits credentials in clear text.

      • Authentication, No Privacy - provides packet authentication and message integrity, but no encryption. Select the authentication algorithm (MD5 or SHA) in the Protocol list and type in the pass phrase.

      • Authentication, Privacy - provides the maximal security by combining authentication, message integrity, and encryption. Under Authentication, select the authentication algorithm (MD5 or SHA) and type in the pass phrase. Under Privacy, select the encryption algorithm (DES or AES) and type in the pass phrase.

    NOTE: You can specify the credentials in both the Version v1/v2c and Version v3 sections together. During the audit, Alloy Discovery will use the appropriate credentials depending on the SNMP version set in network node properties for each device.

  • ClosedFor Linux and Mac credentials:

    IMPORTANT: Please read and understand the following section first!

    ClosedUnderstanding Linux and Mac audit credentials

    For connecting to Linux and Mac computers via SSH, Alloy Discovery utilizes Plink&emdash;a command-line network connection tool which is a part of the PuTTY product, distributed under the free MIT license. Plink is included in Alloy Discovery installation package; the executable file name is plink.exe. For more information on PuTTY and Plink, see the following website: https://www.chiark.greenend.org.uk/~sgtatham/putty/.

    When specifying Linux and Mac audit credentials, you can use one of three methods:

    • A combination of a user name and password. This method is easy in use and troubleshooting. However, it has its downside. Although the password is stored in the database in an encrypted format, it is passed to the Plink utility non-encrypted and so can be sniffed on the machine hosting the Inventory Server or over the network.

    • A combination of a user name and private key. This method relies on a private key instead of a password and is more secure. Your private key is loaded to the database and is stored in an encrypted format. This method uses SSH public key authentication to access Linux and Mac computers without a password. It requires that the SSH public/private key pair is properly set up and the public key is uploaded to all Linux and Mac computers you want to audit. For more information on SSH public key authentication, see http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html.

    • Custom configuration of the command line. This method is intended for advanced use. It allows you to manually specify Plink command line parameters, either as values or as placeholders.

    Protocol - this field is read-only. Connection to the Linux and Mac computers is always established through the Secure Shell protocol (SSH).

    NOTE: Alloy Discovery establishes connection to Linux and Mac computers using the Secure Shell protocol (SSH) over a TCP port. Therefore, it is required that the SSH server is running on each client computer and listening on a dedicated TCP port.

    Port - by default, Alloy Discovery accesses client Linux and Mac computers over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.

    Username - enter the account name.

    Password - enter the account password.

    Private Key - this field is read-only. It displays information about the private key file uploaded to the database.

    Browse - click this button to choose your private key file.

    Clear - clears the Private Key field.

    Use custom command line parameters - select this check box if you want to manually specify Plink command line parameters.

    Parameters - this field becomes available when you select the check box above. It contains parameters of the Plink command line. The default command line parameters may look like this:

    -P "$PORT" -l "$USER_NAME" -pw "$PASSWORD" "$HOST"

    In this example, "$PORT", "$USER_NAME", "$PASSWORD", and "$HOST" are placeholders for command line parameter values, corresponding to the dialog box fields. For more information on placeholders, see below.

    The default parameters may include port (-p), user name (-l), password (-pw) or private key (-i). You can edit the command line as needed. For a complete list of Plink parameters, please refer to http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html#plink.

    You can configure a custom command line in two ways:

    • You can specify parameter values directly in the command line (e.g. -p "22"). In this case, you are not required to fill out the dialog box fields. However some parameters, such as private key and host, cannot be specified in this way.

    • You can use placeholders instead of specific values (e.g. -p "$PORT"). The actual values for placeholders are taken from the corresponding dialog box fields, which you must fill out. Note that the values for the private key and host must always be passed as placeholders. The value for the $HOST placeholder is determined automatically for each audited computer, hence there is no corresponding dialog box field.

    NOTE: Currently, Alloy Discovery does not support SSH authentication via the Pageant authentication agent. As a possible solution, you can specify your private key file directly in the audit credentials.

    Insert Placeholder - inserts a placeholder into the Parameters field.

  • ClosedFor ESXi/vSphere/Citrix credentials:

    Protocol - this field is read-only. Connection to the Linux and Mac computers is always established through the Secure Shell protocol (SSH).

    NOTE: Alloy Discovery establishes connection to Linux and Mac computers using the Secure Shell protocol (SSH) over a TCP port. Therefore, it is required that the SSH server is running on each client computer and listening on a dedicated TCP port.

    Port - by default, Alloy Discovery accesses client Linux and Mac computers over the standard TCP port 22. If you want to specify a non-standard TCP port that the SSH server running on client computers listens on, enter its number.

    Username - enter the account name.

    Password - enter the account password.

    Private Key - this field is read-only. It displays information about the private key file uploaded to the database.

    Browse - click this button to choose your private key file.

    Clear - clears the Private Key field.

    Use custom command line parameters - select this check box if you want to manually specify Plink command line parameters.

    Parameters - this field becomes available when you select the check box above. It contains parameters of the Plink command line. The default command line parameters may look like this:

    -P "$PORT" -l "$USER_NAME" -pw "$PASSWORD" "$HOST"

    In this example, "$PORT", "$USER_NAME", "$PASSWORD", and "$HOST" are placeholders for command line parameter values, corresponding to the dialog box fields. For more information on placeholders, see below.

    The default parameters may include port (-p), user name (-l), password (-pw) or private key (-i). You can edit the command line as needed. For a complete list of Plink parameters, please refer to http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html#plink.

    You can configure a custom command line in two ways:

    • You can specify parameter values directly in the command line (e.g. -p "22"). In this case, you are not required to fill out the dialog box fields. However some parameters, such as private key and host, cannot be specified in this way.

    • You can use placeholders instead of specific values (e.g. -p "$PORT"). The actual values for placeholders are taken from the corresponding dialog box fields, which you must fill out. Note that the values for the private key and host must always be passed as placeholders. The value for the $HOST placeholder is determined automatically for each audited computer, hence there is no corresponding dialog box field.

    NOTE: Currently, Alloy Discovery does not support SSH authentication via the Pageant authentication agent. As a possible solution, you can specify your private key file directly in the audit credentials.

    Insert Placeholder - inserts a placeholder into the Parameters field.

    Name - enter the name.

  • ClosedFor Google credentials:

    Client ID - enter the Google developer API Client ID.

    Client Secret - enter the Google developer API Client Secret.

    NOTE: You can load both the Client ID and the Client Secret parameters using the Load button. For details, see Google Directory Audit and Directory API: Getting Started.

    Domain - enter the name of domain, if you want to specify a domain user name.

    Authorize - click this button to start the authorization process. In a browser window, sign in with the Google Account to your domain and configure client permissions by clicking the Allow button. When the authorization is approved, the credentials will be saved automatically.

  • ClosedFor SNMP credentials:

    User Name - enter the account name.

    Password - enter the password.

    Domain - enter the name of domain, if you want to specify a domain user name. The default value is <Local Computer> for the local Windows account authentication.

    Test Login - click this button to test whether to verify that this account can log in to the specified domain.

Name - specify the meaningful name for the credential record. It appears in the grid of available audit credentials that you choose in the Select Audit Credentials window.