Symptoms
While using the Remote reports (for example, running the Real Time > Remote > Processes report), you receive the following error message:
"Access denied: You do not have permission to access this resource"
-And-
If you run the Real Time > Remote > Summary report, you receive the following error message:
"Error occurred connecting to <device name>
Error: -2147217843
Access denied: You do not have permission to access this resource"
Cause
The remote connection is being rejected by design and is caused by a default setting on the remote EdgeSight Agent you are trying to connect to.
The RemoteSecurity setting defines who can and cannot use the real-time reports to connect to the Agent.
The default setting is one (1), which ONLY allows a local administrator of the device to connect. However, most EdgeSight users are not a local administrator on all of the devices they are trying to connect to.
The RemoteSecurity setting is configurable and can be set at the Agent installation time or adjusted post-installation by editing the EdgeSight Agent registry settings.
Resolution
WARNING! Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Citrix recommends leaving the RemoteSecurity registry key set to 1 and defining a RemoteSecurityGroup. This allows the most flexible and secure configuration allowing a specific group of users access to the EdgeSight remote functions. These two Agent settings are found in the following registry keys:
HKEY_LOCAL_MACHINE\Software\Citrix\System Monitoring\Agent\Core\4.00\RemoteSecurity
HKEY_LOCAL_MACHINE\Software\Citrix\System Monitoring\Agent\Core\4.00\RemoteSecurityGroup
These settings can be changed manually on the Agent device to override the install time settings. Any changes to these settings take effect immediately after you change them and no process restart is required. If you have multiple systems that require this change, you may want to distribute an automated job or policy to change it on all your devices.
Below are the possible combinations for using these settings:
• RemoteSecurity=1, RemoteSecurityGroup=<blank or not set>
This is the most secure and restrictive setting and allows only a local administrator to the device access to use the real-time remote functions. In order to “remote” into a device, the EdgeSight console user must be a local administrator on the actual device.
• RemoteSecurity=1, RemoteSecurityGroup=<set to an Active Directory group>
To enable this setting, an actual Active Directory group must exist or be set up. The second step is to add any and all EdgeSight users to this group who need or want access to the real-time remote functions. The users of this function can be carefully managed using this approach.
• RemoteSecurity=0, RemoteSecurityGroup=<any value>
This is the least secure setting. This gives all EdgeSight console users the ability to use the real-time remote functions. This setting is generally not recommended.
More Information
The following screen shot shows the most secure setting with the value data of the RemoteSecurity key set to 1. This setting is the default and most likely results in an “Access Denied” error message for your EdgeSight users when trying to use the Real Time Remote reports.
The following screen shot shows the least secure setting with the value data of the RemoteSecurity key set to 0. This allows any EdgeSight user the ability to use the remote functions to connect to the Agent.
See Chapter 3 in the EdgeSight Installation Guide for more complete details regarding the use of all the remote security settings (RemoteSecurity, RemoteSecurityGroup) as well as how to set them correctly at installation time through the msiexec command.
