Credential Precedence for Physical Machines and Online Virtual Machines

Initiating actions from the home page, from a machine group, or from a favorite

The home page, machine groups and favorites can be used to initiate patch scans, asset scans, power management actions, and to execute scripts. When performing these actions, Shavlik Protect will attempt to authenticate to each machine using a variety of credentials and will do so using the following strategy:

  1. If one or more of the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:

    1. Machine-level credentials (see the To Individual Machines in a Machine Group section in Supplying Credentials for Machines)

    2. Group-level credentials (see the To All Machines in a Machine Group section in Supplying Credentials for Machines)

    3. Default credentials (see Managing Credentials)

Example: If machine-level credentials are not available but group-level and default credentials are available, the program will use the group-level credentials.

  1. If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

If neither of these credentials work the scans and the power management tasks will fail.

One suggestion is to make your default credentials the same as the account credentials you typically use to log on to the program. This will eliminate problems that may occur if you forget to assign credentials.

Initiating an agent installation from a machine group

When using a machine group to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using machine-level, group-level, default, or explicitly supplied credentials.

Initiating actions from Machine View or Scan View

When initiating a scan, a patch deployment or a power management action from Machine View or Scan View, the program will attempt to authenticate to the target machines using a variety of credentials and will do so using the following strategy:

  1. If one or more of the following are available, try to authenticate using the credential with the highest precedence, where the precedence order is as follows:

    1. Any manually or automatically assigned managed machine credentials (see the To Individual Machines in a Machine Group section in Supplying Credentials for Machines and the Credential option on the Manage Machine Properties dialog)

    2. Default Credentials (used if the scan credentials are invalid or missing (for example, if an agent performed the scan rather than the console))

  2. If the credential used above does not work, then Integrated Windows Authentication (the credentials of the person currently logged on to the program) will be used.

Note: Integrated credentials will not work for deployments to offline virtual machines or for rescans.

If neither of these credentials work then the action will fail.

Initiating an agent installation from Machine View or Scan View

When using Machine View or Scan View to push install the Shavlik Protect Agent service to connected target machines, the credentials used by the program follows the same strategy as immediately above with one major exception -- integrated credentials will not be used. So the agent installation must be successful using managed machine credentials, default credentials, or explicitly supplied credentials.