Configure WMI Permissions and Security

To monitor Windows-based machine hardware with AppDynamics Database Visibility, AppDynamics uses Windows Management Instrumentation (WMI) to remotely gather the metrics. WMI is often complicated to troubleshoot when the Database Agent is running on a Linux or Unix-like machine.

This page describes requirements for the target machine configuration that can help you avoid some problems and pitfalls. It also provides some additional considerations regarding using WMI to monitor a SQL Server database agent and preventing unauthorized remote access to WMI.

Named Windows Account:

The user specified in the collector configuration that the AppDynamics Database Agent uses to connect to the target machine is referred to as <named Windows account>.

The following are required when the Database Agent is hosted on AIX, Linux or Solaris platforms to monitor Windows >= 7 systems. 

• Ensure that the named Windows account is a member of the local Administrators group.
• Ensure User Account Meets Minimum Security Requirements When Using WMI
  
• Enable Remote Registry Access
• Grant access to WBEM scripting locator

The following are required when the Database Agent is hosted on AIX, Linux, or Solaris platforms to monitor Windows >= 2012 systems. 

• Grant full control permissions to select registry keys

The following is required when the Database Agent is hosted on Windows. 

• Ensure that the named Windows account is a member of the local Administrators group.

Requirements to Monitor Windows >= 7 Systems (Agent Running on Unix-like Platform)

The following are required when the Database Agent is hosted on AIX, Linux, or Solaris platforms to monitor Windows >= 7 systems.

Ensure User Account Meets Minimum Security Requirements When Using WMI

Enable Security Options for Windows Systems are Part of a Domain

Ensure the named Windows account has the correct permissions for WMI Control.

1. Run the wmimgmt.msc program.
2. Right-click the WMI Control icon on the left and click Properties.
3. Click Security.
4. Click the root node of the tree, and click Security.

5. Ensure that the named user account running the Database Agent has the relevant permissions. 

   

   The minimum permissions that your remote Windows account needs for the Database Agent are:

   • Execute Methods
   • Enable Account
   • Remote Enable 

   If the named Windows account does not have all of these permissions, you may receive an access denied error or the following errors: 

   Error=800706BA The RPC server is unavailable. SWbemLocator 

   or  

   Error=80070005 Access is denied SWbemLocator 

Enable Classic Security Options for Local (Non-Domain) Windows Systems

Applies to Windows computers that are not part of a domain.

1. Open the Control panel, and go to Administrative Tools > Local Security Policy. The Local Security Settings panel appears.
2. Go to Local Policies > Security Options.
3. Change the value of Network access: Sharing and security model for local accounts to Classic.

Enable Remote Registry Access

The Remote Registry service must be running on the target machine. If the Remote register service is off, you will receive the following error:

Message not found for errorCode: 0xC0000034

or 

Access is denied

By default Windows >= 7 systems will still deny remote access to the registry, even if the Remote Registry service is started.

To test this:

1. Attempt to access the replica registry using Regedit on another machine. 
2. If you get an error similar to Access is denied, run PowerShell as an administrator on the replica, and execute Enable-PSRemoting. 
3. Restart the machine and try launching the replica again.

Grant Access to WBEM Scripting Locator

The Database Agent requires full access to the WBEM Scripting Locator. On the target system, allow full access to the WBEM Scripting Locator as follows: 

1. As an Administrator on the target machine, launch Regedit.
2. Locate the registry key:
   76A64158-CB41-11D1-8B02-00600806D9B6  in HKEY_CLASSES_ROOT\CLSID
3. Right-click the key and click Permissions.
4. Click Advanced.
5. Click Owner and change the owner to the Administrators group. Click Apply.
6. Click Permissions and change the permissions for the Administrators group to Full Control. Click Apply.
7. Close Regedit.
8. Restart the Remote Registry Service, using Administrative Tools > Services.

Configure the Firewall

WMI uses RPC which listens on port 135 but then allocates a dynamic port for subsequent communication. Configure your Firewall to always allow the TCP port 135 exception and follow the dynamic RPC ports. If there is a problem with the firewall, port 135 then you will probably see this error:

ERROR: Message not found for errorCode: 0xC0000001

See How to configure RPC dynamic port allocation to work with firewalls.

Additional Requirements to Monitor Windows >= 2012 Systems (Agent Running on Unix-like Platform)

In addition to the requirements described in Requirements to Monitor Windows >=7 Systems, the following are also required when the Database Agent is hosted on AIX, Linux, or Solaris platforms to monitor Windows >= 2012 systems. 

Grant Full Control Permissions to Select Registry Keys

For the Database Agent running on AIX, Linux, or Solaris to monitor Windows >= 2012 (64-bit) systems, complete the following changes on the target system.

1. As an Administrator on the target machine, launch Regedit.
2. Change the permissions for both of these registry keys to Full Control:
   72C24DD5-D70A-438B-8A42-98424B88AFB8 in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
76A64158-CB41-11D1-8B02-00600806D9B6 in HKEY_CLASSES_ROOT\CLSID
3. Find this registry key: 
   72C24DD5-D70A-438B-8A42-98424B88AFB8 in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID
4. Right-click and click Permissions.
5. Change the owner to the Administrators group.
6. Change the permissions for the Administrators group to Full Control.
7. Change owner back to TrustedInstaller. User is <NT Service\Trusted Installer> on the local machine.
8. Repeat steps 4 to 6 above for this registry key:
    76A64158-CB41-11D1-8B02-00600806D9B6 in HKEY_CLASSES_ROOT\CLSID.
9. Close Regedit.
10. Restart the Remote Registry service, using Administrative Tools > Services.

General Considerations for all Platforms

This information applies to the Database Agent running on Windows systems.

Use Windows Authentication for Microsoft SQL Server

To use Windows Authentication for the Database Agent to connect to a Microsoft SQL Server database instance, you must use a command similar to the following to start the Database Agent; specifying the path to the Database Agent authentication library.

Windows 64-bit

java -Djava.library.path="C:\dbagent404\auth\x64" -jar db-agent.jar

Windows 32-bit

java -Djava.library.path="C:\dbagent404\auth\x86" -jar db-agent.jar

The Windows account used to start the Database Agent must be a Windows user who can authenticate with the database server.