Storing uberAgent’s License in Azure Files
This article describes how to use an Azure storage account key to access a file share hosted on Azure Files. Storage account keys are administrative keys for a storage account that grant full read and write permissions for all files, folders, and file shares within the storage account. The permissions are also applied to other storage resources, such as blobs, queues, and tables, contained within the storage account.
Please review Microsoft’s documentation and make sure you understand the potential security concerns and whether this concept of storing uberAgent data in Azure Files meets your requirements.
If you want to store your uberAgent license file(s) in Azure Files, you need to meet the following prerequisites:
- TCP port 445 is not blocked (firewall/ISP)
- For mounting an SMB Azure file share on a Windows machine, SMB 3.1.1 is used. This means that Windows 10, version 1507, or Windows Server 2016 or above is needed. Microsoft provides a detailed list of supported OS versions.
- For mounting an SMB Azure file share on a macOS machine, SMB 3 is used. This means that macOS High Sierra 10.13 or above is needed. Further details on the requirements for macOS can be found here.
This KB article assumes that a file share within the Azure Storage account already exists. The uberAgent license file(s) can be stored in the file share directly.
To configure a central license directory, the
LicenseFilePath option must be configured in the uberAgent configuration; the value of that option must contain the UNC path to the Azure files directory.
By default, Azure Files SMB shares can be accessed with a storage key that must be provided when mounting the directory, e.g.:
net use <driveletter>: \\<storageaccount>.file.core.windows.net\<sharedfolder> /user:AZURE\<storageaccount> <storagekey>
When mapping the drive with the command shown above, it is mapped in the USER context. Therefore, uberAgent cannot interact with the file share because the agent runs in the SYSTEM context.
uberAgent accesses its central license file path via integrated authentication. The login data must be stored for the SYSTEM account by adding the credentials to the credential store. To store credentials as SYSTEM, one could use
PsExec by running the following command:
.\psexec.exe -s -i cmd.exe cmdkey /add:"<storageaccount>.filecore.windows.net" /user:"localhost\<storageaccount>" /pass:"<storagekey>"
After adding the credentials to the credential store for the
SYSTEM account, uberAgent should be able to access the license file(s) stored in Azure Files.
There is a possibility to integrate a storage account into the local Active Directory and set permissions for your on-premises groups or users. Based on our research, it is not possible to set permissions for computer objects, though. Hence, this can’t be used for uberAgent’s license validation.