Discovery w/o NTLM (using Kerberos)

dmatasek-cdw
Tera Contributor

‎11-21-2023 07:54 AM

All,

 

I am working with a client to implement discovery in a world where they have disabled NTLM and only are using Kerberos.  This (among other things) prevents a client from connecting to a Windows Server using known credentials and an IP address.   Which is Discovery's default way of connecting.

 

I am curious if anybody else has run into this situation and how you combatted it.

 

Thanks in Advance.

0 Helpfuls
  • 1,541 Views
3 REPLIES 3

Niklas Peterson
Mega Sage
Mega Sage

‎11-22-2023 01:28 AM

Hi,

WinRM supports Kerberos. Using WinRM instead of WMI should enable you to run Discovery without NTLM.

 

https://docs.servicenow.com/bundle/vancouver-servicenow-platform/page/product/mid-server/task/enable...

 

Regards,
Niklas

0 Helpfuls

dmatasek-cdw
Tera Contributor

‎11-22-2023 05:54 AM

Thanks for the reply.  While I think it should work, I do not think it is a full solution.  Part of the value of Discovery is to discover what you did not know you had.  With WinRM, I have to know the hosts that we are going to discover.

0 Helpfuls

Niklas Peterson
Mega Sage
Mega Sage
In response to dmatasek-cdw

‎11-22-2023 07:02 AM

Hi,

Well, you will still need to port scan to discover your devices. It's the same as if you would try to discover using WMI and lack credentials. The difference is only in what actions you need to take when you find a device you cannot access.

Network visibility and credentials are things you cannot leave out.

 

Regards,
Niklas

0 Helpfuls