Notifications

744 views

Introduction

Starting in the London release of ServiceNow, Discovery can now leverage the new Microsoft security technology called Just Enough Administration (https://docs.microsoft.com/en-us/powershell/jea/overview) to connect to a Microsoft Windows Server for discovery of hardware/software components for the CMDB.  Before the London Version, SN Discovery required an account credential with full local Administrator privileges.  JEA allows restricted delegation of administration to users that are not a member of the Administrator group.  It provides the capability for non Admin users to connect remotely to a Windows Server using Powershell Remoting This is similar to how SUDO works for Unix/Linux operating systems where it allows a non-root user to run specific commands as root.  This should alleviate concerns from security groups at customers trying to deploy Discovery and Service Mapping to populate the CMDB.

In order to configure JEA non-Admin credentials for discovery, a JEA Connection Endpoint must be configured for each Windows Server that will be discovered.  This document explains how to make these configurations and setup credentials that will leverage JEA for Discovery.


 

JEA requirements for Discovery with JEA

Here are the requirements for JEA setup.  It is critical that you meet each and every requirement or discovery with JEA will not work:

  • You must be running ServiceNow London version or higher
  • The Windows Server that you wish to discover must be part of a Windows domain
  • The JEA credential must be a domain level non-Admin credential
  • PowerShell remoting must be enabled on the Windows Server
  • Windows Remote Management must be running on the Windows Server
  • Windows Management Framework 5 must be running on the Windows Server
  • MID Server must be part of the same Windows Domain

Make sure to follow the below instructions exactly to get Windows Discovery with JEA to work.

Configuring the Windows Server for Discovery with JEA

The Windows Server must be configured with a JEA endpoint that will be used by the MID server for discovery.

  1. In Services, Make sure that Windows Remote Management is running

  1. For Windows versions below 2016, you must install Windows Management Framework 5: https://www.microsoft.com/en-us/download/confirmation.aspx?id=50395
  2. The Windows machine must be a member of a domain.  Join the Windows machine to a Windows domain if it is not already.
  3. The Non Administrator user that will be used for discovery must be a user defined in the domain.  Create a non Admin user and have it as a member of “Domain Users”.

On the domain controller, this is a user named “nonadmin” member of “Domain Users”

  1. On the Windows Server machine, go into Computer Management; Local Users and Groups and create a new user group (i.e.  jea_users) and make the nonadmin domain user a member of the group:

On the Windows Server, make the domain user “nonadmin” a member of the local group “jea_users”

  1. On the Windows Server, setup a JEA directory and a JEA session configuration file.  The JEA permissions and configuration will be created in the C:\Windows\System32\WindowsPowerShell\v1.0\Modules directory.  All of this will be done from the PowerShell command line.  Open an Administrator Command line window and run “powershell” to get to a PowerShell command line.  It must be an Administrator CMD window.

Run the following commands from the PowerShell prompt:

 

$dir= 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\jea'

new-item -itemtype directory -path $dir

 

From an Administrator CMD window, we create a “jea” directory in Modules

This will create the directory “C:\Windows\System32\WindowsPowerShell\v1.0\Modules\jea”.  We want to create a JEA session configuration file (i.e. jea.pssc):

New-PSSessionConfigurationFile -path "$dir\jea.pssc "

Create the JEA Session Configuration File

This will create the file C:\Windows\System32\WindowsPowerShell\v1.0\Modules\jea\jea.pssc.  Edit this file as an Administrator and make the below changes.  You need to substitute the domain\jea_user group on the line for RoleDefinitions.

Edit the JEA Session Configuration File

  1. We need to create the PowerShell Role Capability config file named “servicenow.psrc” in the RoleCapabilities directory.  This is the file that gives permissions for our non Admin user to run commands through PowerShell. Run the following commands:
new-item -itemtype directory "$dir\RoleCapabilities "

New-PSRoleCapabilityFile -path "$dir\RoleCapabilities\servicenow.psrc "

Create the PowerShell Role Capability config file

 

There is now be a file named: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\jea\RoleCapabilities\servicenow.psrc

This is the permissions file for the non admin user.  Edit this file as an Administrator and uncomment and modify the following lines as below:

 

__________________________________________________________________________________

 

Author = 'Administrator'

CompanyName = 'ServiceNow'

 

VisibleCmdlets = 'Get-WmiObject', 'New-Item', 'New-PSSession', 'Copy-item', 'Remove-PSSession', 'invoke-command', 'invoke-wmimethod', 'Get-ItemProperty', 'gwmi', 'format-list'

 

VisibleProviders = 'Registry'

VisibleExternalCommands = 'C:\Windows\System32\cmd.exe'

 

__________________________________________________________________________________

 

  1. We need to create the session configuration.  The JEA Endpoint configuration name will be “JEA_CONFIG”.

Run the command:  Register-PSSessionConfiguration -name JEA_CONFIG -path "$dir\jea.pssc". Make sure that no errors come back when you run this command.

Create the JEA Endpoint Configuration

We now have a JEA endpoint named “JEA_CONFIG”.  That’s the extension of the configuration needed for the Windows Server.

Configuring the MID Server

Make the MID Server part of the same Windows Domain as the Windows Server.

We need to test that the MID Server can connect to the Windows Server with the JEA credential.  This test can be conducted by running PowerShell Remoting and connecting to the Windows Server.  One thing needs to be done first.  ServiceNow Discovery references hosts by the IP Address and not the host name.  By default, PowerShell Remoting uses host names.  In order to run the Powershell remoting session and connect by IP Address, we need to open the trusted hosts.  Open a command line prompt and run “powershell” to get to a PowerShell prompt.  Then run the following PowerShell command:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "* " -Force

This will enable us to run PowerShell remoting commands with an IP Address and not a host name.

To test that we can connect to the remote machine with the non admin credential over PowerShell, we need to set the non-Administrator credential to a $nonadmin variable.  Run the following command from the PowerShell prompt:

$nonadmin=Get-Credential

<this will cause a popup to ask for a Credential.  Enter the domain\non-Adminuser and password>

Now we can test the PowerShell command for our JEA endpoint configuration named “JEA_CONFIG”:

Enter-Pssession -ComputerName <ip_address> -ConfigurationName JEA_CONFIG -Credential $nonadmin

If this comes back without an error, then we know that the non Admin credential will work with the JEA Endpoint.  You can also test it by running these commands:

 

$ps=New-PSSession -computer <IP_address> -configurationName JEA_CONFIG -cred $nonadmin

$ps

Invoke-Command -session $ps -scriptblock {gwmi -query “select * from win32_operatingsystem”}

 

If this returns a block of data about the operating system, then the credential is working.

 

Configuring the ServiceNow instance

The following parameters must be configured on the ServiceNow Instance:

  1. The Windows Credential that is not an Administrator must be defined with the domain name

  1. The MID Server which will be used to run Discovery with the non-Administrator user must have the following properties defined.  Go to MID Server > Properties and define the following
    1. mid.sa.prefer_powershell_wmi_runner set to “true” and specify the MID Server
    2. mid.sa-prefer_powershell set to “true” and specify the MID Server
    3. mid.sa.powershell.jea set to the name of the JEA Endpoint (JEA_CONFIG) that you defined in the configuration of the Windows Server for Discovery. And specify the MID Server

 

Additional Information

Technical White paper on PowerShell Remoting (KB0712351)

 

Article Information

Last Updated:2018-09-11 04:06:18
Published:2018-09-11