2/13/2018 Support and Troubleshooting - Credentials troubleshooting on Discovery, Service Mapping, Orchestration.Credentials troubleshooting on Discovery, Service Mapping, Orchestration. 295 views Number: KB0657528 (https://hi.service-now.com/kb_view.do? sysparm_article=KB0657528) Overview Throughout this article there are troubleshooting steps as well as links for more in depth articles for specific credentials types. Credentials In order to discover a device or perform orchestration activities, add credentials to the credentials table. These credential records specify a username, a password, a kind of credential (Windows, SSH, ...), and MID Servers that are allowed to use this credential. When the MID Server starts or when a credential is modified, the MID Server downloads and caches all available credentials. Credentials for Discovery, Service Mapping, and Orchestration all point to the same credentials table. General Troubleshooting Test the credential: 1. Navigate to the credentials table 2. Select the credential 3. Click on Test credential 4. Populate the form fields for the credential test 5. Click OK If the credential test fails, check that the credential has the correct username and password populated; a typographical error is very often the cause for the credential error. Once the credential fields are confirmed correct, if the credential error continues debugging can be turned on in the MID server for further investigation. The MID server logs should then be reviewed after the issue is reproduced with debug turned on. However, before turning debug confirm the MID server can communicate to the target as seen on the next steps. Ping the device: A ping confirms the device is available in the network. Log into the MID server host, open up the command prompt and run: ping <ip_address> https://hi.service-now.com/kb_view.do?sysparm_article=KB0657528 1/5 WMI: 135 SSH: 22 VCenter: 443 WinRM: 5985 WBEM: 5989 LDAP: 389 If the telnet test fails. Select Parameter Name = mid.14 -credential 'LOCALDOMAIN\mid' Substitute LOCALDOMAIN\mid by the credential to test. Open a PowerShell command line on the host where the MID server is being used and run the following: gwmi win32_operatingsystem -computer 192. There are no network firewalls blocking traffic from the MID server to the target host on the port tested Note: Telnet is an application that operates using the TCP protocol.2/13/2018 Support and Troubleshooting . please consult the target device administrator and the network administrator to confirm that: 1. A telnet test will confirm the whether the port is open or not. and 192. Once debugging is complete. Telnet into the port used for the credential test: If a ping is successful. MID Server > Servers 2. The firewall on the device allows traffic on the port tested by telnet 2. Such ports may not be open on the target host or on the network path used to reach the device.do?sysparm_article=KB0657528 2/5 . then the device is available in the network and reachable from the MID server host. UDP connectivity can not be tested using Telnet. Click on the input records displayed Windows Credential A simple Powershell WMI query directly from the MID Server to the remote machine can be used to test access and permissions.service-now.Credentials troubleshooting on Discovery.200. telnet <ip_address> <port_number> The following are some of the ports used out of box. On the MID server record click on Grab MID logs 2. Orchestration.com/kb_view. Navigate to the MID server list.168. however a system administrator could change these ports. Select the MID server used for the failed discovery or orchestration activity 3. an error message would be displayed. Please consult the target device administrator if ping is not successful. Collecting MID Server Debug logs To turn on debugging on the MID server: 1.200. Select the Configuration Parameters related list and click New 4. Service Mapping.log.14 with the target IP address. Obs: Some environments may have ICMP requests disabled which could cause ping to fail. set this value back to info To collect the MID server logs: 1. However protocols used to communicate to the target hosts must connect to a specified port.level and set the value to debug. The expected result is something similar to: https://hi.168. html#r_CmdsReqRootDiscoAndOrch) To check what commands a user can run on a Unix based device.html) Discovery Windows probes and permissions (https://docs.Credentials troubleshooting on Discovery.do?sysparm_article=KB0549828) . Orchestration.WMI.servicenow.service-now.Windows Discovery - Troubleshooting WMI/Powershell issues on the remote machine KB0549828 (https://hi.com/bundle/jakarta-it-operations- management/page/product/discovery/reference/r_AdditionalPermissions.com/bundle/jakarta-it-operations- management/page/product/discovery/reference/r_PermissionReqWinCredentials. SystemDirectory : C:\Windows\system32 Organization : BuildNumber : 6001 RegisteredUser : Windows User SerialNumber : 12345-OEM-1234567-12345 Version : 6. either the credential is incorrect or lacks permission.service-now. We advise your windows admin team to further investigate the issue.com/kb_view. use any SSH client and connect to the target IP address from the MID server being used to ensure the account can successfully login to the target host. Further Documentation Troubleshooting articles for windows credential errors: KB0549834 (https://hi.servicenow.html) SSH Credential Confirm Authentication: To troubleshoot SSH credential errors.com/kb_view.html)UNIX and Linux commands requiring root privileges for Discovery and Orchestration (https://docs.do?sysparm_article=KB0549834) . See the following links and confirm whether the user meets the requirments. If basic WMI queries from the MID server to the target hosts fails. then discovery and orchestration activities would not be successful.html#r_DiscoWinProbesAndPermissions) Additional Discovery probe permissions (https://docs. for example.com/bundle/jakarta-it-operations- management/page/product/discovery/reference/r_CmdsReqRootDiscoAndOrch. PowerShell.servicenow.com/kb_view.servicenow.service-now. Service Mapping. Confirm Authorization/Permission: A user may be able to login to a target system however may not have permission to run the command attempted by either discovery or orchestration. log into the target host with the user and run the following command: https://hi.do?sysparm_article=KB0657528 3/5 .com/bundle/jakarta-it-operations- management/page/product/discovery/reference/r_DiscoWinProbesAndPermissions.do?sysparm_article=KB0549830) .servicenow.com/bundle/jakarta-it-operations- management/page/product/discovery/reference/r_UNIXAndLinuxCredentials.service-now. and Windows Firewalls Permission requirements for windows credentials: Permission requirements for Windows credentials (https://docs.com/kb_view. Make sure to use the same username/password combination as set in the credentials table.6001 If the WMI command above fails. Access Requirements for Non-Root Credentials (https://docs.MID Server: troubleshooting WMI/Powershell issues . putty. Access to the target system is necessary for any discovery or orchestration activity to work.0.Credentials KB0549830 (https://hi.2/13/2018 Support and Troubleshooting . 2.ssh.1.1. Instead of an error the query eventually times out.exe. SNCSSH is a ServiceNow implementation of an SSH client and is active by default for all MID Servers on new instances. because there is no password to supply to the sudo command.service-now.debug = true for more details. In the following example the public string was corrected. follow the Collecting MID server logs section for further troubleshooting.3. via a MID server property (https://docs. For example. A solution is to add the NOPASSWD option to the sudo configuration or give a password to the credential. Add parameter mid.1.1.2.212. from the MID server.do?sysparm_article=KB0657528 4/5 .0 %Failed to get value of SNMP variable.com/kb_view. Check what implementation of SSH is being used: mid. The following example uses SnmpWalk.3. Orchestration. Timedout. Service Mapping.1. This OID is the sysDescr and will return a description of the device. confirm the user can run the command without providing a password.1.ssh. sudo -l The output shows what priviledged commands a user can run using sudo. Out of box true for new instances with Eureka or later and false for any prior existing intances. If a command fails when using a private key credential. A timeout can be seen in the discovery log when an invalid credential is used.2/13/2018 Support and Troubleshooting . you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode.127. The credential is not valid 2. In the example above the user disco can run dmidecode via sudo without providing a password. SNMP Credential SNMP uses UDP.1.\SnmpWalk.1 -op:.6. Private Key Credentials: Sudo commands do not work with private key credentials.servicenow.3. The network or target server is too busy and does not return the OIDs within the timeout Run an SNMP query to the target: Using an SNMP tool.6. however fails when using the MID server.Credentials troubleshooting on Discovery. the correct public string for this example should be public C:\SNMPWalk>. which does not create a virtual connection to the target host as TCP.6. Enabling the ServiceNow SSH client disables the legacy J2SSH client. and no reply may be given if a credential is not correct or authorized depending on the verson used.1. A couple of reasons for a timeout are: 1.1.use_snc enables the ServiceNow SSH client (SNCSSH) on individual MID Servers./usr/sbin/lsof. public https://hi.com/bundle/jakarta-it-operations-management/page/product/mid- server/task/t_SetMIDServerProperties.exe -r:10.1. Important: Mixing SSH client types for MID Servers connected to the same instance is not a good practice. As seen above there is no credential failure error. query OID 1. however has publi is an incorrect community string.2.1.1.html).181 -c:"publi" -os:. Finally: If the account can successfully login to the target and execute the commands used by the probe being run or orchestration./sbin/ifconfig. 2. Further Documentation VMWare credentials (https://docs.1.2. See more information for SNMP probe parameters on SNMP probes (https://docs.com/kb_view. SNMP Parameters: The "timeout" for an SNMP request can be increased via the "timeout" probe parameter.1.\SnmpWalk.0. Value=Linux Linux-Tomcat 3.2.1.1. Orchestration.com/bundle/jakarta-it- operations-management/page/product/discovery/concept/c_SNMPProbe.service-now. however discovery still fails. 1. For tabular data try the "use_getbulk" parameter to improve efficiency.181 -c:"public" -os:. once the public string was corrected then the sysDescr was returned.0-327.Credentials troubleshooting on Discovery.3.204.212.1.html).171/mob).x86_64 31 SMP Thu Nov 19 22: As seen above.1. The default value is 1500.5s.com/bundle/jakarta-it-operations- management/page/product/discovery/reference/r_VMwareCredentialsForm. VMWare Credential Confirm Authentication: Confirm the same account configured in the credentials table can log into the VCenter target: 1.exe -r:10.1. Service Mapping. and if that is the case this is expected. If there is suspicion that discovery may be wrong.1.0 OID=.6.3.1 -op:. Log into the MID server host 2.do?sysparm_article=KB0657528 5/5 .html) Article Information Last Updated:2018-01-26 11:44:05 Published:2018-01-16 https://hi. C:\SNMPWalk>.6.127. If the test above is successful.1. only part of it is shown above. Type=OctetString.6.servicenow. then follow the steps for Collecting MID server debug logs for further investigation. This is seen when an input returns empty for the OID queried by the probe.servicenow. Try increasing the timeout if a credential is known to be correct and still no OIDs are returned. No result returned from probe: In some cases a warning can be seen in the discovery log stating that No result returned from probe.1.1. a query for the same oid against the target IP address can be run to check on the output.10. Open up a browser and navigate to https://<V-Center_IP_Address>/mob (https://157.1. Make sure to use the same exact username/password combination and the same format as seen in the credentials table record If the test above fails have your vmware team further troubleshoot or provide access to the credential.1.7.2/13/2018 Support and Troubleshooting . replace the address with the IP address of the VCenter server 3. This happens because a device does not have any results to return for the specified OID.3.el7.
Report "Support and Troubleshooting - Credentials Troubleshooting on Discovery, Service Mapping, Orchestration"