8 Replies Latest reply on Mar 29, 2016 7:14 AM by hausi

    eeadmin.administratorRecovery - Syntax of userDN

    hausi

      Hi all

       

      We use MDE (7.1.3.547) and I've planed to get a solution for our ServiceDesk.

      I don't want to get them access to the ePO (5.3.1), because we have a own ServiceDesk-Applikation with several plugins. So they e.g. can change a users password without elevated privileges...

       

      Since we plan the rollout for MDE with SSO on our notebooks, I have to solve two scenarios for our ServiceDesk:

       

      1. A user is not known in the PBA -> Therefore "https://<ePO>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryTyp e=1" works fine.

      2. A user forgot his password -> So, the ServiceDesk has to reset the PBA-password and the windows-password as well. (or is there a easyer way? Afaik recoveryType=1 will not work, because the usernames don't match and the password will not sync.)

       

      For the 2nd szenario I have troubles to get the correct syntax.I've tryed https://<ePO>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryTyp e=2&userDN=?????????

      Even Scripting Guide / McAfee Drive Encryption 7.1 dosn't help me really:

       

      Table 2-6 resetUserToken recovery type

       

      Command

      eeadmin.administratorRecovery     

       

      Syntax

      eeadmin.administratorRecovery

      challengeCode=<>

      recoveryType=<>

      userDn=<>

       

      Description

      Specify recoveryType='2' and

      pass the Distinguished Name

      (DN) of the user, to perform the

      Reset User Token Recovery.

       

      I've tryed almost all possible names for userDn (User principal name (which is our username for PBA and windows logon), pre-win2000 username with/without Domain, canonical name, distinguished name, DN with quotes and even with URL encoded characters for " " %20, "@" %40, etc.) ... and I always get:

       

      Error 0 :

      Error setting parameters for command: eeadmin.administratorRecovery


      What is the correct syntax for userDn?

      And is recoveryType=2 the right way for the scenario "user forgott his password"?

      Is it possible to get the computername (after sending the challanceCode) and a list of the defined usernames on this computer with ePO.API.Explorer?


      Thanks in advance


      Hausi

        • 1. Re: eeadmin.administratorRecovery - Syntax of userDN
          shahar.rand

          The way to enter the DN is this:

           

          https://<ePO>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryTyp e=2&userDn=<Distinguished name>

           

          for example:

          https://ePOserver.eu.company.com:8443/remote/eeadmin.administratorRecovery?chall engeCode=AAAABBBBCCCCDDDDEEEEFF&recoveryType=2&userDn=CN=LastName\, FirstName,OU=euro,DC=company,DC=com

           

          Let me know if this works out for you.

           

          Not sure about your last question (about getting the computer name and assigned users), will let you know.

           

          Shahar.

          • 2. Re: eeadmin.administratorRecovery - Syntax of userDN
            hausi

            Hi Sahar

             

            Thanks for your prompt answer.

             

            If I look in "Encryption Users", my DN looks like:

                 CN=<LastName> <FirstName> (<Visum>),OU=<Department>,OU=<Platform>,OU=Users,OU=<Company> Production,DC=<Domain>,DC=<DomainCountry>

             

            If I replace all the " " with "\" like this:

                 https://<ePO>.<Domain>.<DomainCountry>:8443/remote/eeadmin.administratorRecovery?challen geCode=<Code>&recoveryType=2&userDN=CN=<LastName>\<FirstName>\(<Visum>),OU=<Depa rtment>,OU=<Platform>,OU=Users,OU=<Company>\Production,DC=<Domain>,DC=<DomainCou ntry>

             

            I still get:

                 Error 0 :

                 Error setting parameters for command: eeadmin.administratorRecovery

             

            If I try RecoveryType=1 without userDN, like this:

                 https://<ePO>.<Domain>.<DomainCountry>:8443/remote/eeadmin.administratorRecovery?challengeCode=<Code>&recoveryType=1

             

            I get:

                 Succeeded:<Response>

             

            So, I guess, the challange is correct and recognized by ePO -> I also guess, the problem is the "userDN"...

             

            Hausi

            • 3. Re: eeadmin.administratorRecovery - Syntax of userDN
              shahar.rand

              Not sure if that is the reason but there are some typing mistakes in what you pasted above:

              • There is a space in "challengeCode"
              • userDn needs to be typed with a lowercase "n"

               

              What I suggest is that you simply copy paste the distinguished name, there is no need to add any other signs or to escape characters.

              • 4. Re: eeadmin.administratorRecovery - Syntax of userDN
                hausi

                Hi Shahar

                 

                You are great!

                 

                You are right: I didn't see the lowercase "n", Thanks! (I've spent hours...)

                (The blank " ", was copy/paste from your 1st post).

                 

                I've passed the DN as it is written in "encryption users" with all the spaces and other characters...

                 

                The Output is now:

                     Succeeded:<Response>


                Looks a little better ;-)


                The mistake was the lowercase "n" - And because of the failed result, I've tried to play around with the DN...


                btw.

                - Is there a best practice for "user forgot password"? -> recoveryType=2 and reset windows-password (because with SSO he forgot both)? Or is there an easyer way?

                - Is there a way to display the systemname from the challangeCode and the list of assigned encryption users on thsi system? I've found nothing about this.

                • 5. Re: eeadmin.administratorRecovery - Syntax of userDN
                  shahar.rand

                  Happy to see this worked out.

                  - We don't use SSO, so I can't really help you with this. But I guess that there is no way around it. Maybe do a machine recovery, change the users Windows password from Windows and then sync the new password to MDE.

                  - I haven't been able to that. I guess you are limited to what the APIs give you. You could try and submit that as a PER.

                  • 6. Re: eeadmin.administratorRecovery - Syntax of userDN
                    hausi

                    With "machine recovery" the windows- and PBA-user will not match and not sync the password...

                    I'll try to play with "core.executeQuery" - perhaps there is a possibility...

                     

                    OR perhaps another member of the community has an idea?

                    • 7. Re: Re: eeadmin.administratorRecovery - Syntax of userDN
                      hausi

                      I'm trying to get the PBA-Users of a specific PC. What I did so far:

                       

                      http s://:8443/remote/core.executeQuery?target=EPOCounterMeasures_View&select=(selec t EPOCounterMeasures_View.LeafNodeID)&where=(where(eq EPOCounterMeasures_View.ComputerName "<ComputerName>"))

                      -> This returns:

                          OK:

                          ComputerID: 28150

                       

                      I also was able to get a list of usernames with EPOLeafNodeID...

                      http s://:8443/remote/core.executeQuery?target=EPESystemUsers&select=(select EPESystemUsers.UserID EPESystemUsers.DisplayName EPESystemUsers.EPOLeafNodeID)

                      -> This returns:

                          OK:

                          EPEADMIN.squid.epeSystemUsers.da.userID: 1

                          User Name (DE): <first>.<last>@<MailDomain>

                          EPEADMIN.squid.epeSystemUsers.da.EPOLeafNodeID: 27996

                       

                       

                          EPEADMIN.squid.epeSystemUsers.da.userID: 1

                          User Name (DE): <first>.<last>@<MailDomain>

                          EPEADMIN.squid.epeSystemUsers.da.EPOLeafNodeID: 28150

                       

                       

                          EPEADMIN.squid.epeSystemUsers.da.userID: 1

                          User Name (DE): <first>.<last>@<MailDomain>

                          EPEADMIN.squid.epeSystemUsers.da.EPOLeafNodeID: 33331

                       

                      Now, I'm trying to show only the UserNames for a specific EPOLeafNodeID, which i got with the 1st command - but, this works not really - not yet...

                      ...perhaps someone has already solved this challange?

                      • 8. Re: eeadmin.administratorRecovery - Syntax of userDN
                        hausi

                        I've got the list of SystemUsers per Computer:

                         

                        "https ://[ePO]:8443/remote/core.executeQuery?target=EPESystemUsers&select=(select EPESystemUsers.DisplayName)&where=(where(eq EPOLeafNode.NodeName "[ComputerName]"))