The CreatorCon Call for Content is officially open! Get started here.

Do I need dedicated Windows credentials?

Go to solution
Bobby Campbell
Kilo Sage

‎05-16-2024 01:12 PM

Our MID Servers are all running on Windows OS.  I've read that Windows/WMI discovery uses the same credentials used for running the mid server service.  If this is true, then do I also need to create a Windows credential within Discovery credentials?  Under what circumstances would it be used instead of what's already on the MID Server?

Labels:
0 Helpfuls
  • 1,323 Views
1 ACCEPTED SOLUTION

Go to solution
Selva Arun
Mega Sage
Mega Sage

‎05-17-2024 06:31 AM - edited ‎05-17-2024 06:32 AM

Yes, it's true that Windows/WMI discovery in ServiceNow can use the same credentials that are used for running the MID Server service. However, its good practice to specify separate Windows credentials within the Discovery credentials.

 

 

The credentials used for the MID Server service are primarily for the operation of the MID Server itself. These credentials allow the MID Server to interact with the ServiceNow instance and perform tasks such as executing probes and sensors.

 

On the other hand, the Windows credentials specified within the Discovery credentials are used specifically for the discovery process. These credentials are used to authenticate against the Windows machines that are being discovered. This allows the Discovery process to access necessary information from the target machines and update CMDB accordingly.

 

The below is from the https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0750751:

 

If a customer uses only the service account on the MID server service for their Windows credential, and do not have any windows credentials in the credential table of the instance, all windows discovery probes return details from the MID Server host, and not the target that's meant to be scanned.
The WMI classify probe returns the hostname of the MID server, not the target.

This issue is maintained even if the following properties are explicitly applied to the MID server:
mid.powershell.use_credentials = false
mid.powershell.local_mid_service_credential_fallback = true

The fallback facility to use the mid service credential is no longer working. It is acting as though there are no credentials being used at all. Since you can reproduce this with:
mid.powershell.use_credentials = false
mid.powershell.local_mid_service_credential_fallback = false

 

Please check the below article for more information:

 


(1) Windows Discovery Overview - Support and Troubleshooting - ServiceNow. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1116898.


(2) MID Server and Credentials Encryption - Support and ... - ServiceNow. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0679355.


(3) Windows credentials - Product Documentation: Utah - Now ... - ServiceNow. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1235292.


(4) How to Update a MID Server password - ServiceNow. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0746702.


(5) Credentials & Permissions troubleshooting on Discovery ... - ServiceNow. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0657528.


(6) Windows discovery without 'domain admin' or 'local admin ... - ServiceNow. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0951917.


(7) Determine if you have the correct credentials on the MID Server .... https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0535149.

 

 

Please mark my answer as either helpful or accept my solution.

 

Thank you.

 

View solution in original post

5 REPLIES 5

Go to solution
SK Chand Basha
Tera Sage
Tera Sage

‎05-16-2024 07:40 PM

Hi @Bobby Campbell 

you can use agent client collector. That will help you to get all the details without credentials.

 

https://youtu.be/KUZzYm-HyNU?si=g3hbWTl3m4epWGCY

 

Mark it Helpful and Accept Solution!! If this helps you to understand.

Go to solution
Pratiksha
Mega Sage
Mega Sage

‎05-16-2024 08:06 PM

Hi @Bobby Campbell ,

 

yes you need to creat creds for discoverying the windows devices. The good practice is create a domain user and make sure the windows devices are part of domain user. The process is when mid server runs the job it try to  discover the target machine it log in on devices using the credentials stored in credentials table. 

Reagards,

pratiksha khandelwal

Go to solution
cosek
Tera Contributor

‎05-17-2024 03:25 AM

What is the difference between Windows credentials and generic credentials?
 
 
0 Helpfuls

Go to solution
SK Chand Basha
Tera Sage
Tera Sage
In response to cosek

‎05-17-2024 04:09 AM

Hi @cosek 

 

Generic are not specific to an application .

 

The Generic Credentials are used by the applications for authentication and security, directly, without delegating windows OS to do that.

 

Windows ones are specific to Windows

 

 

The windows operating level system credentials or the Domain Credentials are used by the OS and then authenticated by the Local security Authority.

0 Helpfuls