Getting ADME to work with MID Server service account credentials, like gMSA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2024 07:18 AM
Getting ADME to work on Windows Servers with discovery seems to require a certain scenario to work in terms of the permissions required (tested with Windows Server Datacenter 2022).
However - it doesn't work with just the MID servers service account (Scenario 1 & 2 below) even though discovery and plain ADM works. However, if creating a credentials entry with the user / pwd for the exact same account as used to run the MID server, it works (Scenario 3.1 & 3.2 below). The permissions on the target server remains exactly the same, the firewalls are off on both the MID and the target server = the issue seems to be on the Discovery / ADME side.
A workaround could be to just add this credential entry.. BUT.. if using a gMSA account, it's only possible to use Scenario 1 & 2 as there are no password available.
So - how can we get ADME working in scenario 1 & 2 so we can also use it in a setup with gMSA accounts?
Has anyone got this working or have any ideas for further testing?
Scenario1:
If running discovery on the target server with just using the MID-servers credentials (which has access on the target server) and no credential in the discovery_credentials list.
Result: Warning in the discovery log from ADME Powershell:
java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "cleanedUsername" is null at com.service_now.mid.probe.ADMEPowershell.runPSLocally(ADMEPowershell.java:180)... ... ...
Scenario2:
If running discovery on the target server with just using the MID-servers credentials (which has access on the target server) and have added this account to the discovery_credentials list and have the "Use MID server credentials" option checked:
Note - same result even if multiple discovery runs.
Result: Warning in the discovery log from ADME Powershell, but now a different one:
EvaluatorException(new ProbePostProcessor({
/**
* Runs the probe instance
*/
process: function() {... ... ...
Scenario 3.1:
If running discovery on the target server with credentials (user / pwd) in the discovery_credentials list (with access to the target server). Important - this could be the exact same credentials that the MID server uses, but now specified with the user / pwd in the credentials list. No changes on the target server at all:
Note - First discovery result:
Result: Warning in the discovery log from ADME Powershell:
EvaluatorException(new ProbePostProcessor({
/**
* Runs the probe instance
*/
process: function() {... ... ...
Scenario 3.2:
Same as scenario 3.1 but the second discovery result:
Result: Successful ADME discovery.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2024 11:07 PM
I opened this as an issue with ServiceNow and they responded that it should work but that there is an open problem on this matter:
ADME does not support "Service Account" windows credentials - Known Error (servicenow.com)
Intended fix version as of now is per the article in Yokohama.