Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Getting ADME to work with MID Server service account credentials, like gMSA

Jon Runheim
Tera Contributor

‎08-22-2024 07:18 AM

Getting ADME to work on Windows Servers with discovery seems to require a certain scenario to work in terms of the permissions required (tested with Windows Server Datacenter 2022).

However - it doesn't work with just the MID servers service account (Scenario 1 & 2 below) even though discovery and plain ADM works.  However, if creating a credentials entry with the user / pwd for the exact same account as used to run the MID server, it works (Scenario 3.1 & 3.2 below). The permissions on the target server remains exactly the same, the firewalls are off on both the MID and the target server = the issue seems to be on the Discovery / ADME side.

 

A workaround could be to just add this credential entry.. BUT.. if using a  gMSA account, it's only possible to use Scenario 1 & 2 as there are no password available.

 

So - how can we get ADME working in scenario 1 & 2 so we can also use it in a setup with gMSA accounts?

Has anyone got this working or have any ideas for further testing?

 

 

Scenario1:

If running discovery on the target server with just using the MID-servers credentials (which has access on the target server) and no credential in the discovery_credentials list.

Result: Warning in the discovery log from ADME Powershell:

java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "cleanedUsername" is null at com.service_now.mid.probe.ADMEPowershell.runPSLocally(ADMEPowershell.java:180)... ... ...

JonRunheim_0-1724336193503.png

 

 

Scenario2:

If running discovery on the target server with just using the MID-servers credentials (which has access on the target server) and have added this account to the discovery_credentials list and have the "Use MID server credentials" option checked:

Note -  same result even if multiple discovery runs.

Result: Warning in the discovery log from ADME Powershell, but now a different one:

EvaluatorException(new ProbePostProcessor({

/**

* Runs the probe instance

*/

process: function() {... ... ...

JonRunheim_1-1724336211685.png

 

 

Scenario 3.1:

If running discovery on the target server with credentials (user / pwd) in the discovery_credentials list (with access to the target server). Important - this could be the exact same credentials that the MID server uses, but now specified with the user / pwd in the credentials list. No changes on the target server  at all:

Note - First discovery result:

Result: Warning in the discovery log from ADME Powershell:

EvaluatorException(new ProbePostProcessor({

/**

* Runs the probe instance

*/

process: function() {... ... ...

JonRunheim_2-1724336223009.png

 

 

Scenario 3.2:

Same as scenario 3.1 but the second discovery result:

Result: Successful ADME discovery.

JonRunheim_3-1724336233741.png

 

  • 828 Views
1 REPLY 1

Jon Runheim
Tera Contributor

‎08-28-2024 11:07 PM

I opened this as an issue with ServiceNow and they responded that it should work but that there is an open problem on this matter:
ADME does not support "Service Account" windows credentials - Known Error (servicenow.com)
Intended fix version as of now is per the article in Yokohama.