HP OpenView Storage Mirroring User Guide (360226-002, May 2004)
15 - 2
How Storage Mirroring Security Works
1. When any Storage Mirroring client machine attempts to access a source or target machine running on Windows, it will
attempt to automatically logon to the source or target using the three methods below.
! The security credentials of the user currently logged into the Storage Mirroring client machine are sent to the Storage
Mirroring source or target machine. From the security credentials, the source or target machine determines if the
user is a member of either of the Storage Mirroring security groups and if so, grants the appropriate level of access.
! The last valid set of credentials (credentials previously granting either Administrator or Monitor level access) used
to access each machine is recorded in the registry of the client machine. If the logon attempt using the credentials
of the user currently logged in fails, a set of credentials is retrieved from the registry and is sent to the Storage
Mirroring source or target. The Storage Mirroring source or target checks the validity of the credentials and
determines if the user is a member of one of the Storage Mirroring security groups and then grants the appropriate
level of access.
! Each valid set of credentials (credentials previously granting either Administrator or Monitor level access) used by
the Storage Mirroring client application is recorded in a memory-resident credentials buffer maintained by the
Storage Mirroring client application. If the logon attempts using the credentials of the user currently logged in or
those credentials stored in the registry fails, a set of credentials is retrieved from the Storage Mirroring client
application’s credentials buffer and is sent to the source or target. This process is repeated until a valid set of
credentials is found or the credentials buffer is exhausted.
2. The Storage Mirroring client tries each of these three methods until a set of credentials granting Administrator access is
found. If no credentials granting Administrator access are found, the Storage Mirroring client attempts to find a set of
credentials granting Monitor access. If no credentials grant Monitor access, the user must manually logon to the Storage
Mirroring source or target by providing a user name, password, and domain.
NOTE: You can disable the feature that maintains the security credentials in the registry. See Clearing
Maintained Security Credentials
on page 15-3 for details.
NOTE: The credentials buffer is cleared each time the Storage Mirroring client application is closed.
NOTE: If a user name exists both on the local machine and on the network, Windows first attempts to login to
the machine with the local user name and password and ignores the domain. If this fails, it then tries to
login with the network user name, password and domain.
Logon...
Username:
Password:
Domain:
Text Client
Command: logon machine
username password domain
Operating System Login
Windows registry
containing encrypted
credentials
Encrypted Credentials
Buffer
-
-
-
Any client machine
Source or target running on
Windows that contains the
security groups