Steps to Reproduce
- No common user account between the MID Server A and Windows machine B
- Discovery plugin activated
- MID Server A is on a Windows host with the service account running as LocalSystem (default)
Add a Windows credential to successfully discover the Windows machine B.
Run a discovery to target Windows machine B with MID Server A.
Allow discovery to finish successfully.
Log in to machine B and open the Event Viewer.
NOTE: There should be a 4625 event logged with the user name that logged in to machine A.
- Keywords: Audit Failure
- Source: Microsoft Windows security auditing.
- Event ID: 4625
- Task Category: Logon
Within the General Details area, messages will indicate that the attempt came from the MID Server host within the Network Information section.
Run discovery again.
NOTE: Even though a credential affinity is used, Microsoft will log an Audit Failure event to notify administrators when impersonation is being used.
To verify that you have access to the target machine, execute the following command:
$results = gwmi win32_operatingsystem -computer $computer -credential $cred -impersonation 3 -authentication 6 -EA "Stop";
If this command fails, iterate to the next credential. If it passes, continue to execute the intended script against the target.
Based on the post When using Get-WMIObject, it uses current user credential first before using "-Credential" parameter on Microsoft forums, when impersonation is used, Windows will first attempt to run as the current user (or service account) before using the specified credential. Therefore, this is working as designed per Microsoft. Impersonation has existed in discovery for a while so at least one security event per probe will always be logged per probe; more if other commands in the script require impersonation.
Windows first tries to authenticate as the MID Server Windows service account. If this account has access to the target, no Audit Failure event is logged. To accomplish this, have a MID Server discover targets within the same domain.
Related Problem: PRB1239785