Troubleshooting Help Needed | Unable to Discovery one specific Windows 10 computer

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 06:52 AM
Hello,
I am facing a challenge in discovering a Windows 10 computer. Below are the troubleshooting steps that I have performed so far:
- Ran Ping from mid server host was successful
- Ran Telnet from mid server host to verify which ports are open
WMI: 135 - Open
SSH: 22 - failed
VCenter: 443 - failed
WinRM: 5985 - Open
WBEM: 5989 - Open
LDAP: 389 - failed
- Ran Tracert works using the name and IP - both result in the expected results
- Verified the user account stored in ServiceNow credentials is a member of the local administrator's group on the computer
- Used "Test credentials" link within ServiceNow. The test fails. However, I CAN successfully log into Windows 10 directly on the computer via RDP. I do not believe there is an issue with the credentials stored in ServiceNow because they work on hundreds of other devices.
- Verified that WMI is allowed on the local firewall
- Unable to verify WMI connection via PowerShell command (gwmi) from mid server host. Results in "Access is denied"
- Checked with DNS admin and they stated the DNS entry is correct.
- I am able to discover another on the same network segment without any issues.
There is something different about the configuration of this one specific computer that I can't seem to figure out. I was hoping that someone with a little more experience might be able to help me out with the next steps.
Thanks in advance!
--------------------------------------------------------------------------------------------------------
Discovery Log
08-03-2020 09:20:20 AM Warning Authentication failure(s) with available Windows credentials from the instance. WMIRunner (empty) Windows Classify
08-03-2020 09:20:20 AM Warning Active, couldn't classify: No WMI connection, now finished
WMIRunner (empty) Windows Classify
---------------------------------------------------------------------------------------------------------
WMIRunner Payload
- Labels:
-
Discovery

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 06:58 AM
Have you checked joe's suggestion in the following thread? He suggests checking the time on the host machine and mid server.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 10:18 AM
The date/time is correct.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 09:56 AM
Hi,
There are few points to check:
1) Unable to verify WMI connection via PowerShell command (gwmi) from mid server host. Results in "Access is denied" this means that there is some right issue on this machine for this account. Make sure the user is in same domain and in local or domain admin rights are given. Also RPC service should be available. This is either firewall issue or creds. Check the MID Server used for discovery is same as what you use for login. This clearly says that gWMI is not passed as this is the first step we try.
2)Also port 445 should be open and have access to admin share.
Nice:
https://hi.service-now.com/kb_view.do?sysparm_article=KB0535240
Thanks,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 11:25 AM
Did you also check that the high ports 49152 - 65535 are open to this Windows host as well? When discovering using WMI, port 135 from the MID Server to the Remote Windows host must be open for initial communication AND high ports 49152 - 65535 must be open for the remainder of the communication. It is possible the high ports are being blocked.
If the Windows has the Windows Firewall with Advanced Security turned on, you can check the firewall logs (C:\Windows\System32\LogFiles\Firewall) to determine if any of the WMI ports are being blocked. When the Inbound rule Windows Management Instrumentation (WMI-In) for WMI is enabled, you can see in the logs that the high ports (src-port and dst-port) are allowed (action=ALLOW).