Skip to Content
author's profile photo Former Member
Former Member

Afaria installation questions

Dear Administrators,

We have had few problems with our test sap afaria environment and we decided to reinstall it all over again. However I would like to avoid the issue we have had before. The issue was, that the installation was made locally, not in windows AD domain, however we enrolled test users (android) which were a domain users. They were able to enroll ok, however we wanted to test how would it behave in stronger security policy environment and we changed their passwords. The result was a disaster – Afaria wouldn’t let them login again, unless they would unenroll and enroll again. We did try to configure it to see the AD users however something went wrong and we decided to wipe it all.

Could You please tell when exactly is the moment, or the place where afaria is configured to see domain users and changes in their passwords ?

Also to avoid future problems I have a few questions :

What are exactly the pros and cons of domain afaria installation ? What will it change in Afaria environment ?

Also in the installation guide there’s a little difference in the requirements of a domain user :

http://help.sap.com/Download/Multimedia/zip-afaria7sp4/Afaria_InstallationGuide.pdf

on page 23 it says that the Domain user (lets call it ABC user) should have the right to log on as service / interactive logon -> I presume that with this user I will install the Afaria but – will it be also the default afaria administrator ? Should it be also a database owner ?

On page 42 I see that suddenly a another user is needed with additional rights (does it have to be also abc user, or can it be other (let’s call it GHZ ) user ?

On page 43 new required DA rights appear (in confrontation with the ones mentioned on 23) I presume that the user really does need them. Does it have to be ABC user or GHZ ? (if GHZ- does he have to be also able to log on as service ? ) Does that user need to keep those privileges forever, or does he need them only during installation ?

That would leave us with two users one for connecting with DA and second to install and run all services (will it be also afaria admin user or there will be yet another?) One on Windows domain(local user) and second on created in AD. AM I right ?

What are Your experience on this ? Do You use two users, or one for everything ?

What would better work for our test environment – ms sql serv, or sql anywhere?

And the last question – let’s say that I build a test environment sp 4, and later decide to upgrade it. To sp 6 . However with time a dev will come to me and request that I install a relay server or anything additional. Will I be able to ? Or would I have to install everything from the beginning ?

Thank you very much in advance.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    Posted on Dec 07, 2015 at 11:57 AM

    Dear Marek,

    First of all it is not required to install Afaria in a domain. There is no AD user necessary to install Afaria or to run the Afaria services. So I assume that the password change issue you saw in the past is not caused by the fact that you installed Afaria locally and not in a AD.

    There are only local access rights necessary (local Administrator access) for the user installing Afaria and running the Afaria services.

    The AD access rights you referring on page 42 is required for the user connecting to the AD in the security settings in Afaria Admin. Please keep in mind that you can connect to several ADs in different tenants in Afaria to connect with different users to the ADs. This has nothing to do with the user running the Afaria services.

    The key to avoid any issues with the connection to an AD are the Afaria Security settings configured for the specific tenant. I assume that you changed these security settings in any way to cause the issue you saw with the password change.

    Additionally I strongly recommend to test with a newer Afaria version than SP4. The current Afaria 7 version is SP8. It is not supported to upgrade directly from SP4 to SP8. Only direct upgrades from SP6 or SP7 to SP8 are supported.

    Best regards

    Volker Saier

    SAP Product Support

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Dec 07, 2015 at 02:48 PM

    The Service Account specified during the installation does not need to be a domain user. However, if you wish to grant access to the Administrator to Domain users, then during the Administrator setup you must specify Active Directory or LDAP authentication, which requires a domain user account to set up. The Default Administrator is specified on a separate page in the setup, and may or may not be the Service Account or the Domain account previously specified. You can grant access to the Administrator for specific domain users or groups using the Roles function under the Server tab.

    Adding a new component like Relay Server or Package Server does not require you to install earlier versions. It is only for upgrades that you must follow a specific upgrade path in order to preserve existing information.

    Domains in the Security tab (pages 42 and 43 of the installation guide) are used to verify the credentials of devices connecting to Afaria, and for creating AD or LDAP User Groups. If you do not wish to use either of these features, you should uncheck "Use Authentication" during Enrollment Server (iPhoneServer) and Package Server setup, and uncheck "Enable Authentication" from the Security page. Note that in later versions, this is configured entirely on the Security page.

    The user specified on the Security page (assuming AD or LDAP authentication) may or may not be the same as the Service Account specified during installation. This user needs directory lookup rights.

    As to the choice of database, both are excellent, so it is a matter of personal preference. The syntax and tools are different, so you should choose the one you are more familiar with. On the other hand, SQL Anywhere is probably quicker and easier to setup, and more portable.

    I hope this helps,

    Mike Loop - SAP Product Support

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 10, 2015 at 02:14 PM

    Dear aadministrators thank you very much for your help !

    I’ve been able to install the Afaria environment (sql anywhere 12 + afaria serv/package/SSP)

    However I have a serious problem (I’ve seen that not only me has had them before)

    The first problem is the proposed in sap guides autorestart service for sql anywhere. I have tried for several hours to configure it properly and I failed, for some reason the service does start, however it doesn’t bring up the database (http://help.sap.com/Download/Multimedia/zip-afaria7sp4/Afaria_InstallationGuide.pdf page 27). Have you also had this problem ?

    Manually starting the database is a pain but it is not as bad as my next problem –

    for whatever reason the enrollment for android fails, even if I use the very same settings as before (I had 7.0, now I’ve installed 7.0 sp4 Afaria) the client says ,,enrollment failed’’. I’ve tried everything, looked for notes, forums. I saw that many people had this problem, but none of their solutions were helpful for me. I have tried every combination, trying to set FQDNS everywhere- fail. IP’s everywhere in config –fail. With ports, without ports – every time the same error (we are trying the SSP scenario).

    If it may help You this time I use the google shortening api instead of Tiny URl, however when I test this on Afaria admin page the test result is successful.

    Maybe you have a solution to my problem?

    And again thank you very much, for your previous wide and deep explanation .

    Add a comment
    10|10000 characters needed characters exceeded

    • Marek

      You can view the full URL of your Enrollment Codes by viewing the Enrollment Policy, highlighting the Code, and clicking Inspect. You can also retrieve the full URL by following the instructions in KBA 1889508.

      Your enrollment codes point to a local domain, not accessible from the internet. Are you testing your devices while connected to a corporate Wifi?

      You are correct, most of the WIKI assumes an installed client, so you can ignore most of the details. However, you can still use the initial instructions on using the ADB to collect general device logs, including the attempts to reach the Google shortening service, parse the enrollment code, and reach the Afaria server.

      Regards,

      Mike Loop - SAP Active Global Support

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.