New Fog client and security

LibraryMark

@Wayne-Workman Yes. Why?

Wayne Workman

@LibraryMark Just asking questions to try to figure out what happened. I’m still thinking on it.

LibraryMark

@Wayne-Workman
Oh. Well - don’t spend too much time on it. I can always get by with the old client for now.

Wayne Workman

@LibraryMark said in New Fog client and security:

@Wayne-Workman
Oh. Well - don’t spend too much time on it. I can always get by with the old client for now.

And that’s exactly why the legacy client remains supported. To allow transition as possible.

Pinging @Joe-Schmitt about this.

Joe Schmitt

The log says invalid security token. Try hitting the reset encryption data button on the host in the fog web portal.

Tom Elliott

I feel I should add some information.

The new client and security are a “teamed” thing. So while the client is highly more secure, this security is two sided.

First bit. We have asymmetric key pairs set up on the server of which the client uses the server’s public key to verify and validate the trust of the server.

The server has a trust of the client as well, so both sides must be trusting each other for communication to happen. This is all automatic.

If the Server cannot trust the client, the client is immediately informed of such actions and no pertinent (sensitive) data is passed to the client. If the client cannot trust the server, the client will not keep communicating with the server (won’t keep trying to get anything from the server).

In the first case (server cannot trust) the response is “Invalid security token.” This can be reset right on the GUI if you’re sure the client is a viable client in your environment. This will enable you to know of potential “trouble” clients as well.

All of this is handled, more or less, automatically though. There is a third layer of security which is to ensure the client installer is “trusted”. This is handled when you first start to install the client. It downloads the public key of the layout that was used to sign the file during the build process.

Of all of this, the most problematic issue is most likely the installation itself. This is because the installation will look to the internet to download the public key. If this cannot be found, I don’t know the consequences. That said, most will not have to worry about this.

The way all this security works is quite fast and very much automated. While you may have the occasional “Invalid Security Token” issue, this is most likely to occur after imaging and the system has the client enabled on an image that was sysprepped. This is issue will often occur because it attempts to send the “trust” information of the original uploaded system. This tells the server that the information is invalid and properly shuts the communication down. (Even though it’s highly unexpected from the admin/user side).

The imaging process (deploy) will reset the token information automatically so as to help prevent these issues, but as I stated there may be some oddities to this occasionally. If there’s other issues, you can reset this information right within the GUI. This reset can be done individually per each host, or via groups. There’s also cli methods to reset though most won’t need this.

In the second case (client cannot trust) the issue is a little bit more involved. A client receives all its information from the server and performs actions based on what the server sends it, so it is necessary to make the client trust the server on a much “deeper” level. The Trust relationship in either direction is incredibly important, but right fully more “show stopping” when the client cannot trust the server because of the earlier statements (the client performs actions based on what the server sends it).

The asymmetric key’s are generated when the fog installer is run. These keys are signed by an automatically generated CA (Certificate of Authority) on the same installer pass. While you can pass arguments to recreate the CA (which will also automatically recreate the main server’s keys), it would be unwise to do so after the initial install and FOG Client being installed in your image. This is because the CA signed certificate is what’s used to validate the trust of the server. Without this, you could by pass simply by making your own certs which would defeat the purpose of all the security. Yes, it is more than possible to use your own purchased certs and information, but for the installer sake and documentary purposes this will need to be asked on a case by case basis (though it’s rather simple). If you need to update your server’s keys for whatever reason, and are reasonably sure your CA is not impacted, you can do this without any issue to the clients.

LibraryMark

@Joe-Schmitt said in New Fog client and security:

The log says invalid security token. Try hitting the reset encryption data button on the host in the fog web portal.

Tried it. fog.log still says,

 ERROR: Could not find file 'C:\Program Files\FOG\token.dat'.```

LibraryMark

@Tom-Elliott - thanks for the explanation of how it works.

Did something happen that drove all this effort to secure things? Was someone hacked?

LibraryMark

@Tom-Elliott
Is the token file only generated on imaging? Where does it come from - what puts ‘C:\Program Files\FOG\token.dat’ in place?

Wayne Workman

@LibraryMark said in New Fog client and security:

Did something happen that drove all this effort to secure things? Was someone hacked?

It happened because it was needed. Nobody is known to have been hacked - maliciously. The developers are often the ones to find holes, and then they patch them.

Is the token file only generated on imaging? Where does it come from - what puts ‘C:\Program Files\FOG\token.dat’ in place?

The encryption & security model for the new client only concerns the new client’s communications with the server, not imaging itself. You can image without any client installed on the image, you would just have a lot of manual work afterwards to do.

LibraryMark

@Wayne-Workman

Thanks, Wayne.

No one is able to answer why the token.dat file is not there? What puts it there? I have seen other topics on this issue, but have not seen any solution (that I understand, anyway). I know I must be doing something wrong but I have no idea what.

I know I do not need the client to image, and all I do use the client for is hostname changing and rebooting if there is a task waiting (and I don’t really need that). Those two things could be accomplished easy enough in other ways, I suppose. I already have an autoit script that runs on the last auto-login to do some tasks before the user sees the PC. It could easily change change the host name, too. Knowing what to change it to is the only (slightly) hard part. Could be as simple as parsing a text file for a mac-hostname pair, and I could host that on the fog server. Could make a php script for it that hands out the hostname given a mac address from the fog database.

LibraryMark

@Joe-Schmitt said in New Fog client and security:

I know why the token file doesn’t exist. Its because the server and client haven’t been able to handshake yet. This is why I need the whole fog.log after you hit reset encryption.

Nothing changes in the log file after I hit the reset encyption button that I can see. I did notice that the little indicator in the host list was red while the rest were green, fwiw. Here is the log file - I cleared it, rebooted the machine, hit the button, and waited 5 minutes.

 8/13/2016 11:54 AM Main Overriding exception handling
 8/13/2016 11:54 AM Main Bootstrapping Zazzles
 8/13/2016 11:54 AM Controller Initialize
 8/13/2016 11:54 AM Zazzles Creating main thread
 8/13/2016 11:54 AM Zazzles Service construction complete
 8/13/2016 11:54 AM Controller Start

 8/13/2016 11:54 AM Service Starting service
 8/13/2016 11:54 AM Bus ERROR: Could not enter socket
 8/13/2016 11:54 AM Bus ERROR: Cannot load Counter Name data because an invalid index '' was read from the registry.
 8/13/2016 11:54 AM Bus {
  "self": true,
  "channel": "Status",
  "data": "{\r\n  \"action\": \"load\"\r\n}"
}
 8/13/2016 11:54 AM Bus ERROR: Could not enter socket
 8/13/2016 11:54 AM Bus ERROR: Cannot load Counter Name data because an invalid index '' was read from the registry.
 8/13/2016 11:54 AM Bus Emmiting message on channel: Status
 8/13/2016 11:54 AM Service Invoking early JIT compilation on needed binaries

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Version: 0.11.5
 8/13/2016 11:54 AM Client-Info OS:      Windows
 8/13/2016 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass
 8/13/2016 11:54 AM Middleware::Communication Download: http://fog-server/fog/management/other/ssl/srvpublic.crt
 8/13/2016 11:54 AM Data::RSA FOG Server CA cert found
 8/13/2016 11:54 AM Middleware::Authentication Cert OK
 8/13/2016 11:54 AM Middleware::Communication POST URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&authorize&newService
 8/13/2016 11:54 AM Middleware::Response Success
 8/13/2016 11:54 AM Middleware::Authentication Authenticated


 8/13/2016 11:54 AM Bus Registering ParseBus in channel Power
 8/13/2016 11:54 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:AF:66:63||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService&json
 8/13/2016 11:54 AM Middleware::Response Success
 8/13/2016 11:54 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?clientver&newService&json
 8/13/2016 11:54 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?newService&json

 8/13/2016 11:54 AM Service Creating user agent cache
 8/13/2016 11:54 AM Middleware::Response Module is disabled globally on the FOG server
 8/13/2016 11:54 AM Middleware::Response No Printers
 8/13/2016 11:54 AM Middleware::Response Module is disabled globally on the FOG server
 8/13/2016 11:54 AM Service Initializing modules

------------------------------------------------------------------------------
---------------------------------ClientUpdater--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------TaskReboot----------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response Success
 8/13/2016 11:54 AM HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
------------------------------------------------------------------------------


------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response No snapins
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PrinterManager--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response No Printers
 8/13/2016 11:54 AM PrinterManager Getting installed printers
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PowerManagement-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response Success
 8/13/2016 11:54 AM PowerManagement Calculating tasks to unschedule
 8/13/2016 11:54 AM PowerManagement Calculating tasks to schedule
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:54 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:54 AM Client-Info Client OS:      Windows
 8/13/2016 11:54 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:54 AM Middleware::Response Success
 8/13/2016 11:54 AM Middleware::Communication URL: http://fog-server/fog/service/usertracking.report.php?action=login&user=public-image\admin&mac=00:50:56:AF:66:63||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService&json
------------------------------------------------------------------------------

 8/13/2016 11:54 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 8/13/2016 11:54 AM Middleware::Response Success
 8/13/2016 11:54 AM Service Sleeping for 104 seconds
 8/13/2016 11:56 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:AF:66:63||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService&json
 8/13/2016 11:56 AM Middleware::Authentication Waiting for authentication timeout to pass
 8/13/2016 11:56 AM Middleware::Communication Download: http://fog-server/fog/management/other/ssl/srvpublic.crt
 8/13/2016 11:56 AM Data::RSA FOG Server CA cert found
 8/13/2016 11:56 AM Middleware::Authentication Cert OK
 8/13/2016 11:56 AM Middleware::Communication POST URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&authorize&newService
 8/13/2016 11:56 AM Middleware::Response Success
 8/13/2016 11:56 AM Middleware::Authentication Authenticated
 8/13/2016 11:56 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:AF:66:63||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService&json
 8/13/2016 11:56 AM Middleware::Response Success
 8/13/2016 11:56 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?clientver&newService&json
 8/13/2016 11:56 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?newService&json

 8/13/2016 11:56 AM Service Creating user agent cache
 8/13/2016 11:56 AM Middleware::Response Module is disabled globally on the FOG server
 8/13/2016 11:56 AM Middleware::Response No Printers
 8/13/2016 11:56 AM Middleware::Response Module is disabled globally on the FOG server

------------------------------------------------------------------------------
---------------------------------ClientUpdater--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------TaskReboot----------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response Success
 8/13/2016 11:56 AM HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
------------------------------------------------------------------------------


------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response No snapins
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PrinterManager--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response No Printers
 8/13/2016 11:56 AM PrinterManager Getting installed printers
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PowerManagement-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response Success
 8/13/2016 11:56 AM PowerManagement Calculating tasks to unschedule
 8/13/2016 11:56 AM PowerManagement Calculating tasks to schedule
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:56 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:56 AM Client-Info Client OS:      Windows
 8/13/2016 11:56 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:56 AM Middleware::Response Success
------------------------------------------------------------------------------

 8/13/2016 11:56 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 8/13/2016 11:56 AM Middleware::Response Success
 8/13/2016 11:56 AM Service Sleeping for 76 seconds
 8/13/2016 11:57 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:AF:66:63||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService&json
 8/13/2016 11:57 AM Middleware::Response Success
 8/13/2016 11:57 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?clientver&newService&json
 8/13/2016 11:57 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?newService&json

 8/13/2016 11:57 AM Service Creating user agent cache
 8/13/2016 11:57 AM Middleware::Response Module is disabled globally on the FOG server
 8/13/2016 11:57 AM Middleware::Response No Printers
 8/13/2016 11:57 AM Middleware::Response Module is disabled globally on the FOG server

------------------------------------------------------------------------------
---------------------------------ClientUpdater--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------TaskReboot----------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response Success
 8/13/2016 11:57 AM HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
------------------------------------------------------------------------------


------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response No snapins
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PrinterManager--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response No Printers
 8/13/2016 11:57 AM PrinterManager Getting installed printers
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PowerManagement-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response Success
 8/13/2016 11:57 AM PowerManagement Calculating tasks to unschedule
 8/13/2016 11:57 AM PowerManagement Calculating tasks to schedule
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:57 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:57 AM Client-Info Client OS:      Windows
 8/13/2016 11:57 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:57 AM Middleware::Response Success
------------------------------------------------------------------------------

 8/13/2016 11:57 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 8/13/2016 11:57 AM Middleware::Response Success
 8/13/2016 11:57 AM Service Sleeping for 85 seconds
 8/13/2016 11:59 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:AF:66:63||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService&json
 8/13/2016 11:59 AM Middleware::Response Success
 8/13/2016 11:59 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?clientver&newService&json
 8/13/2016 11:59 AM Middleware::Communication URL: http://fog-server/fog/service/getversion.php?newService&json

 8/13/2016 11:59 AM Service Creating user agent cache
 8/13/2016 11:59 AM Middleware::Response Module is disabled globally on the FOG server
 8/13/2016 11:59 AM Middleware::Response No Printers
 8/13/2016 11:59 AM Middleware::Response Module is disabled globally on the FOG server

------------------------------------------------------------------------------
---------------------------------ClientUpdater--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------TaskReboot----------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response Success
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------HostnameChanger-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response Success
 8/13/2016 11:59 AM HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
------------------------------------------------------------------------------


------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response No snapins
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PrinterManager--------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response No Printers
 8/13/2016 11:59 AM PrinterManager Getting installed printers
------------------------------------------------------------------------------


------------------------------------------------------------------------------
--------------------------------PowerManagement-------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response Success
 8/13/2016 11:59 AM PowerManagement Calculating tasks to unschedule
 8/13/2016 11:59 AM PowerManagement Calculating tasks to schedule
------------------------------------------------------------------------------


------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 8/13/2016 11:59 AM Client-Info Client Version: 0.11.5
 8/13/2016 11:59 AM Client-Info Client OS:      Windows
 8/13/2016 11:59 AM Client-Info Server Version: 1.3.0-RC-8
 8/13/2016 11:59 AM Middleware::Response Success
------------------------------------------------------------------------------

 8/13/2016 11:59 AM Middleware::Communication URL: http://fog-server/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 8/13/2016 11:59 AM Middleware::Response Success
 8/13/2016 11:59 AM Service Sleeping for 70 seconds

Wayne Workman

@LibraryMark It appears to be working fine now.

LibraryMark

@Wayne-Workman said in New Fog client and security:

@LibraryMark It appears to be working fine now.

Maybe It behaves differently than the old client? In the past, if I change the hostname to something incorrect, it will correct it in short order. That does not seem to happen now.

The VM is up and running, the mac address is correct in FOG, and yet I get a “no such device or address” next to the host in the “all hosts” list. All the other hosts are green and say “success”.

LibraryMark

A-ha! I just now manually rebooted, the host name did indeed change. There is now a token.dat file. That part of it works. How about that. So the only thing “busted” right now is having it force the change.

I have FOG_ENFORCE_HOST_CHANGES checked. Is there somewhere else this needs to be changed? Looks like I need FOG_TASK_FORCE_REBOOT too? I will try that.

Joe Schmitt

@LibraryMark It is the Make changes even when users are logged on? setting. It is per-host / group. You can find it by selecting your host/group, and going to Active Directory.

LibraryMark

@Joe-Schmitt

@Joe-Schmitt said in New Fog client and security:

@LibraryMark It is the Make changes even when users are logged on? setting. It is per-host / group. You can find it by selecting your host/group, and going to Active Directory.

BINGO! That was it. It did it all by itself. Wow - what an ordeal. This is going to take some getting used to.

Thanks to all who contributed to this. Now - can anyone tell me what I did wrong in the first place?

Joe Schmitt

Since I don’t know everything about your setup I can only speculate. My guess is that at some point you may have tried reinstalling the client on the problematic host. It would cause an issue because:

1. the original installation successfully authenticated and set the token.
2. on uninstalling / reinstallation the token is deleted from the computer, but the server still has it.
3. on installation the client no longer has the old token, but the server is expecting it. Thus causing authentication issues.

LibraryMark

@Joe-Schmitt - Ok, sounds about like what I did. At least now I have some things to try if it happens again.

Thanks!

Joe Schmitt

As much as the security model may seem like its an overkill, believe me when I say it is needed. We also built it in a fashion that you, as an end user, should almost never have to interact with it or manually intervene (e.g. resetting encryption data). The only time you need to step in is if you move your server to another machine or reinstall the client on the computer.