Discovery w/o NTLM (using Kerberos)

dmatasek-cdw
Tera Contributor

All,

 

I am working with a client to implement discovery in a world where they have disabled NTLM and only are using Kerberos.  This (among other things) prevents a client from connecting to a Windows Server using known credentials and an IP address.   Which is Discovery's default way of connecting.

 

I am curious if anybody else has run into this situation and how you combatted it.

 

Thanks in Advance.

3 REPLIES 3

Niklas Peterson
Mega Sage
Mega Sage

Hi,

WinRM supports Kerberos. Using WinRM instead of WMI should enable you to run Discovery without NTLM.

 

https://docs.servicenow.com/bundle/vancouver-servicenow-platform/page/product/mid-server/task/enable...

 

Regards,
Niklas

dmatasek-cdw
Tera Contributor

Thanks for the reply.  While I think it should work, I do not think it is a full solution.  Part of the value of Discovery is to discover what you did not know you had.  With WinRM, I have to know the hosts that we are going to discover.

Hi,

Well, you will still need to port scan to discover your devices. It's the same as if you would try to discover using WMI and lack credentials. The difference is only in what actions you need to take when you find a device you cannot access.

Network visibility and credentials are things you cannot leave out.

 

Regards,
Niklas