Getting ADME to work with MID Server service account credentials, like gMSA

Jon Runheim
Tera Contributor

Getting ADME to work on Windows Servers with discovery seems to require a certain scenario to work in terms of the permissions required (tested with Windows Server Datacenter 2022).

However - it doesn't work with just the MID servers service account (Scenario 1 & 2 below) even though discovery and plain ADM works.  However, if creating a credentials entry with the user / pwd for the exact same account as used to run the MID server, it works (Scenario 3.1 & 3.2 below). The permissions on the target server remains exactly the same, the firewalls are off on both the MID and the target server = the issue seems to be on the Discovery / ADME side.

 

A workaround could be to just add this credential entry.. BUT.. if using a  gMSA account, it's only possible to use Scenario 1 & 2 as there are no password available.

 

So - how can we get ADME working in scenario 1 & 2 so we can also use it in a setup with gMSA accounts?

Has anyone got this working or have any ideas for further testing?

 

 

Scenario1:

If running discovery on the target server with just using the MID-servers credentials (which has access on the target server) and no credential in the discovery_credentials list.

Result: Warning in the discovery log from ADME Powershell:

java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "cleanedUsername" is null at com.service_now.mid.probe.ADMEPowershell.runPSLocally(ADMEPowershell.java:180)... ... ...

JonRunheim_0-1724336193503.png

 

 

Scenario2:

If running discovery on the target server with just using the MID-servers credentials (which has access on the target server) and have added this account to the discovery_credentials list and have the "Use MID server credentials" option checked:

Note -  same result even if multiple discovery runs.

Result: Warning in the discovery log from ADME Powershell, but now a different one:

EvaluatorException(new ProbePostProcessor({

/**

* Runs the probe instance

*/

process: function() {... ... ...

JonRunheim_1-1724336211685.png

 

 

Scenario 3.1:

If running discovery on the target server with credentials (user / pwd) in the discovery_credentials list (with access to the target server). Important - this could be the exact same credentials that the MID server uses, but now specified with the user / pwd in the credentials list. No changes on the target server  at all:

Note - First discovery result:

Result: Warning in the discovery log from ADME Powershell:

EvaluatorException(new ProbePostProcessor({

/**

* Runs the probe instance

*/

process: function() {... ... ...

JonRunheim_2-1724336223009.png

 

 

Scenario 3.2:

Same as scenario 3.1 but the second discovery result:

Result: Successful ADME discovery.

JonRunheim_3-1724336233741.png

 

1 REPLY 1

Jon Runheim
Tera Contributor

I opened this as an issue with ServiceNow and they responded that it should work but that there is an open problem on this matter:
ADME does not support "Service Account" windows credentials - Known Error (servicenow.com)
Intended fix version as of now is per the article in Yokohama.