NateG Posted January 11, 2021 Share Posted January 11, 2021 Hi all, New Passwordstate user here, brand new install on build 8993. We're trying to set up a MS SQL account discovery jobs and are running into a few oddities. First, there does not seem to be a way to define multiple SQL instances for a host without having to define multiple host entries (one for each instance). This is pretty clunky, and brings up 2: There's no auto-discovery of SQL instances - why not leverage the functionality of the SQL Browser service to enumerate instances automagically, then tie each instance to a Privileged Account Credential? After creating a second host and specifying a different instance (let's call this instance B), the discovery job "finds" accounts from instance A and either (I can't figure out what causes one to happen vs the other): - adds a duplicate record to the password list. In other words, we wind up with two entries: servername (instance A)\fred and servername (instance B)\fred - even though fred isn't a user on instance B. - associates instance B's unique discovered users with instance A The account discovery job statistics are not updated as expected. The Last Discovery Took field is always 00:00:00, unless you run a job manually and don't navigate away from the page. There is no way (that I've found) to have the instance name used as a variable. This means that the associated password list has identical Title and Description entries for each instance, leading to confusion. Any help is appreciated! Link to comment Share on other sites More sharing options...
support Posted January 11, 2021 Share Posted January 11, 2021 Hi Nate, Please see some comments below in Red. First, there does not seem to be a way to define multiple SQL instances for a host without having to define multiple host entries (one for each instance). This is pretty clunky, and brings up 2: From a SQL Server perspective, these are different servers which is why we require separate host records for them. And so they also can be used with our Client Based Remote Session Launcher. There's no auto-discovery of SQL instances - why not leverage the functionality of the SQL Browser service to enumerate instances automagically, then tie each instance to a Privileged Account Credential? We'd need to investigate if the Browser Service exposes the instances programatically, via PowerShell. If this is something you need, could you log a feature request on the following section on our forums - https://www.clickstudios.com.au/community/index.php?/forum/38-feature-requests/ After creating a second host and specifying a different instance (let's call this instance B), the discovery job "finds" accounts from instance A and either (I can't figure out what causes one to happen vs the other): - adds a duplicate record to the password list. In other words, we wind up with two entries: servername (instance A)\fred and servername (instance B)\fred - even though fred isn't a user on instance B. - associates instance B's unique discovered users with instance A We'll need to investigate this, as we've never had this reported to us before - we will let you know what we find The account discovery job statistics are not updated as expected. The Last Discovery Took field is always 00:00:00, unless you run a job manually and don't navigate away from the page. Can you tell us how many SQL Servers you are querying here? There is no way (that I've found) to have the instance name used as a variable. This means that the associated password list has identical Title and Description entries for each instance, leading to confusion. Regards Click Studios Link to comment Share on other sites More sharing options...
NateG Posted January 12, 2021 Author Share Posted January 12, 2021 Thanks - I logged the feature request here. I'm only querying 3 SQL instances right now, all on the same server. Let me know if you need me to provide anything for the other issues. Link to comment Share on other sites More sharing options...
support Posted January 13, 2021 Share Posted January 13, 2021 Hi Nate, With your SQL instances, did you install these with either different port numbers, or different IP Addresses, or are each of your instances using the same port and IP Address? Regards Click Studios Link to comment Share on other sites More sharing options...
NateG Posted January 13, 2021 Author Share Posted January 13, 2021 They're using dynamic ports and listening on the same IP. Link to comment Share on other sites More sharing options...
support Posted February 11, 2021 Share Posted February 11, 2021 Hi NateG, We've just been looking into this, and the Discovery Job is working for us if you specify the correct Instance Name and Port Number. When using Dynamic Ports, in our testing it's only dynamic initially when first set, so you can specify these ports on the Host records in Passwordstate. You just need to look them up using the SQL Server Configuration Manager tool, like in the screenshot below. Regards Click Studios Link to comment Share on other sites More sharing options...
NateG Posted February 11, 2021 Author Share Posted February 11, 2021 Well, the point of this is to not need to know the port, and there is no guarantee that the port number for an instance will not change. It's determined at startup: https://docs.microsoft.com/en-us/sql/tools/configuration-manager/tcp-ip-properties-ip-addresses-tab?view=sql-server-ver15#dynamic-ports Link to comment Share on other sites More sharing options...
support Posted February 11, 2021 Share Posted February 11, 2021 Hi Nate, The reason we suggested to specify the ports is because during our testing, as long as we had different SQL Instance Names, we did not need to specify port numbers for the Hosts in Passwordstate - and we did not witness the wrong accounts being associated with the wrong host record. In our experience the port did not change on startup, so possibly just specifying a port will help instead. Regards Click Studios Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now