Windows credentials

Windows credentials provide access to Windows computers. This credential type is available for Discovery and Orchestration.

Credential requirements

Discovery and Orchestration have the following requirements for Windows credentials:
  • Install a MID Server on a Windows host as a service.
  • Add Windows credentials to one of these locations:
    • An entry in the Credentials [windows_credentials]table
    • A MID Server service account to run as a specific Windows user or domain account.

Granting proper permissions

To provide sufficient permissions, Windows credentials must be one of the following:
  • A domain user with local administrator access on the target Windows hosts.
  • A local account that has administrator privileges and User Access Control (UAC) disabled on the same target host.
  • A user who meets the requirements of Windows probes and permissions (Discovery only).
  • A user who meets the requirements of the Orchestration activity to be run (Orchestration only).

Workgroup computers

To run Powershell commands to discover a Workgroup computer, configure the MID Server credentials for either of these users:
  • Built-in administrator account on the Workgroup computer.
  • Domain user on the Workgroup computer.

Multi-domain configuration

To enable Windows credentials to function across multiple domains, make sure to sure to use the correct name formats and MID Server configuration.

Discovery and Orchestration support Windows domain credentials in both User Principal Name and Down-Level Logon Name user name formats. For example, Domain\UserName or UserName@example.domain.com. You can provide Windows workgroup credentials in the following format: WORKGROUP\UserName.

Note: You can also provide a local account by using the . \ user name.
These additional actions are required to enable credentials to function across multiple Windows domains.
Condition Additional actions required
MID Server host on the same domain as the Windows target. None
MID Server host on a different domain than the Windows target. Ensure that Powershell 2.0 or higher is installed on the MID Server host.
MID Server host on a different domain than the Microsoft SQL Server target. See MSSQL server discovery.

Windows credentials type

These fields are available in the Credentials form for Windows:
Field Description
Name Enter a unique and descriptive name for this credential.
Active Enable or disable these credentials for use.
User name Enter the user name to create in the Credentials table. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name. For CIM discovery, the user must have the admin role.
Password Enter the password.
Credential ID Enter the unique key configured for external credentials in the JAR file uploaded to the MID Server for an external credential system. The Credential ID field has a limit of 40 characters.

This field is only visible when the External credential store check box is selected.

Credential alias Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow.

To use the credential for discovering CIs not belonging to this CI type using Service Mapping and Discovery patterns, enter the table name for the CI type to which the CI belongs, for example cmdb_ci_apache_web_server. For more information, see Change credentials to non-default.

External credential store Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. External credential storage is only available when the External Credential Storage plugin in activated.
Note: Currently, the only supported external storage system is CyberArk.
Applies to

Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.

MID servers Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
Order

Enter the order (sequence) in which the platform tries this credential as it attempts to log on to devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), the instance tries the credentials in a random order.

Configure Windows credentials for the MID Server

Configure the MID Server to use either the credentials of its own Windows service or credentials from the Credentials [discovery_credentials] table.

Before you begin

Role required: admin

Procedure

  1. Configure the MID Server to use credentials from the MID Server service account.
    1. Set the MID Server service account to a user who meets the permission requirements.
    2. Verify the user name meets the name format requirements.
    3. Fill in the fields on the form, as appropriate.
    4. Verify the credentials meet domain requirements.
  2. Configure the MID Server use credentials from the Credentials [discovery_credentials] table.
    1. Add individual Windows credentials to the Credentials [windows_credentials] table.
      • Verify each credential meets the permission requirements.
      • Verify each username meets the name format requirements.
      • Verify each credential meets the Windows domain requirements.
    2. [Optional] Configure the MID Server to use Powershell by setting the mid.use_powershell parameter to true. See MID Server Configuration.
    3. [Optional] By default, Discovery automatically uses the MID Server service account credentials if all credentials in the Credentials table fail. If you do not want to use the MID Server service credentials as a fall back, set the mid.powershell.local_mid_service_credential_fallback parameter to false.