000016293 - Inserting credentials into RSA DLP Datacenter Agent/Grid scan groups

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016293
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Data Loss Prevention, DataCenter
RSA Version/Condition: 8.x, 9.x, and 9.6.x and up.
Platform: Windows
O/S Version: 2003 SP2, 2008, 2008 R2, 2012
IssueInserting credentials into Datacenter Agent scan groups

If the "Runas" user for the agent scan group does not have admin access to target systems, or if the target systems are not domain members or are on domains other than the Enterprise Coordinator / Site Coordinator system, additional Credential settings within Datacenter are required.
In order for a scan group to successfully scan remote servers, valid administrative credentials will need to be applied to the agent scan group in question.To apply one or more credential entries (Datacenter will try each credential listed if the first or subsequent credentials fail) follow steps given below:

  1. For DLP 9.x, make sure that the credential needed is added under the Admin->Users & Groups->Credentials page.

  1. Edit the configuration for the Agent scan group in question on the Admin->Datacenter page or sub page.
  1. On the edit Agent Group screen select the Optional Settings button

  1. Select the Credentials tab and select/insert one or more accounts you wish to use to scan the remote machines.
  2. There are two sections in the credentials page. The top section is for entering domain credentials for machines that are joined to a domain and the bottom section is for entering credentials for machines that are not part of a domain.
  1. In the top section use the domain credential in the format domain\account name, for example RSA\AdminUser. For 9.x, this credential has to be entered in Step 1.


  1. In the lower section, gain access to machines that are not in an Active Directory. Please provide credentials in NTLM format, e.g. Machine\AdminUser. For 9.x, this credential has to be entered in Step 1.

WorkaroundAnother method is to use the Pass-through authentication method.
This involves having two accounts with same name and password on the each domain.
To configure you create an user account with the same name and password as the same account used to scan on the same domain as the DLP system.
DLP domain is domain A
password is changeMe!
DLPScanUser (non trusted domain)
password is changeMe!

Legacy Article IDa40644