Windows credentials provide access to Windows computers. This credential type is available for Discovery and Orchestration.

Credential requirements

Discovery and Orchestration have the following requirements for Windows credentials:
  • Install a MID Server on a Windows host as a service.
  • Add Windows credentials to one of these locations:
    • An entry in the Credentials [windows_credentials]table
    • A MID Server service account to run as a specific Windows user or domain account.

Granting proper permissions

To provide sufficient permissions, Windows credentials must be one of the following:
  • A domain user with local administrator access on the target Windows hosts.
  • A local account that has administrator privileges and User Access Control (UAC) disabled on the same target host.
  • A user who meets the requirements of Windows probes and permissions (Discovery only).
  • A user who meets the requirements of the Orchestration activity to be run (Orchestration only).
Note: No logon privileges are needed. Account does NOT need to be interactive.

Security around granting privileged access can be enhanced by using JEA profiles to run Discovery. For more information, see Microsoft Just Enough Administration (JEA) for Discovery.

Workgroup computers

To run Powershell commands to discover a Workgroup computer, configure the MID Server credentials for either of these users:
  • Built-in administrator account on the Workgroup computer.
  • Domain user on the Workgroup computer.

Multi-domain configuration

To enable Windows credentials to function across multiple domains, make sure to sure to use the correct name formats and MID Server configuration.

Discovery and Orchestration support Windows domain credentials in both User Principal Name and Down-Level Logon Name user name formats. For example, Domain\UserName or UserName@example.domain.com. You can provide Windows workgroup credentials in the following format: WORKGROUP\UserName.

Note: You can also provide a local account by using the . \ user name.
These additional actions are required to enable credentials to function across multiple Windows domains.
Condition Additional actions required
MID Server host on the same domain as the Windows target. None
MID Server host on a different domain than the Windows target. Ensure that PowerShell 3.0 (or higher up to 5.1) is installed on the MID Server host.
MID Server host on a different domain than the Microsoft SQL Server target. See MSSQL server discovery .

Windows credentials type

These fields are available in the Credentials form for Windows:

Configure Windows credentials for the MID Server

Configure the MID Server to use either the credentials of its own Windows service or credentials from the Credentials [discovery_credentials] table.

Before you begin

Role required: admin

Procedure

  1. Configure the MID Server to use credentials from the MID Server service account.
    1. Set the Configure Windows MID Server service credentials to a user who meets the permission requirements.
    2. Verify the user name meets the name format requirements.
    3. Fill in the fields on the form, as appropriate.
    4. Verify the credentials meet domain requirements.
  2. Configure the MID Server use credentials from the Credentials [discovery_credentials] table.
    1. Add individual Windows credentials to the Credentials [windows_credentials] table.
      • Verify each credential meets the permission requirements.
      • Verify each username meets the name format requirements.
      • Verify each credential meets the Windows domain requirements.
    2. (Optional) Configure the MID Server to use Powershell by setting the mid.use_powershell parameter to true.
    3. Select the Windows MID Server Service Account check box to create a credential that represents the windows MID Server service account to run as a specific Windows user or domain account.