SCOM / SCSM – Retrieve Decrypted RunAs Account Credentials

password-ftr

I am not sure if you have seen it, but Richard Warren from nccgroup has figured out, how to decrypt the RunAs account credentials in SCOM. The problem up to now was, that there was no official way to retrieve the encrypted credentials from SCOM. There is just one DLL to use, which offers the decrypt method. He has written a EXE and a PowerShell script on Github . I know there are always two sides of the medal. In this case an evil and a good way of using this knowledge. I think I don’t have to talk about the evil way, instead I would like to talk about its benefit.

Richard Warren has used it for SCOM RunAs accounts, but if you think about it Service Manager (SCSM), which is based on the same framework, therefore I was curious if this approach also works for SCSM. In fact it did! Why is this awesome? Well, think about it. We are able to “securely” store credentials in SCSM (or SCOM) using RunAs accounts. Now we are able to retrieve those credentials easily. Because I do a lot of automation in SCSM using service requests and itnetX PowerShell activities I always had some trouble to store credentials in a save manner. There are many ways to do so, like exporting the credentials into XML (Export-CliXML) , using certificates , encrypting the credentials using a key and store it somewhere like here or maybe you could store the credentials in SMA and retrieve it using PowerShell. Whatever method you are going to use, you will end up with more or less problems. The best approach would be, to store the credentials on the system where you need it (SCSM) and the SCSM administrator can manage these accounts without to dig into PowerShell code or certificates etc. Therefore RunAs accounts are a perfect way for storing credentials.

Because of that, I have used Richard’s sample, modified the code a bit to be able to use it on SCOM and SCSM and also return proper output. The PowerShell module will return the a credential hash table. You need to execute the module on the SCOM or SCSM management server and the only parameter you need to provide is the SCOM RunAs account display name like in this example.

In SCOM the RunAs account looks like this…

image

…and if you use the PowerShell module it works like this…

image

You can download the module from PowerShell Gallery . Be aware of the fact, that you need permission to access the database and management server.

Continue reading

SCSM 2016 / SCOM 2016 – SCOM 2016 Console Crashes After SCSM 2016 Console Installation

boom

Have you ever installed System Center Service Manager 2016 and System Center Operations Manager 2016 console on the same system? Depending on the installation order, the SCOM console will crash with multiple errors like this…

image

…and the console will appear empty or crash totally. We had the case, that the SCOM console was installed first and the SCSM console afterwards. It is a known issue and MVP Eric Berg as blogged about it in German, check his post here.

Because this error has massive impact and I was also affected by this nasty bug I will re-write it in English and pimp this post with some nice screenshots :).

The problem is the Analysis Management Objects (AMO) 2014 package which is being installed by the SCSM 2016 console installation. What you could do, is uninstalling the Analysis Management Objects (AMO) 2014 package and run a repair installation of the SCOM console.

image

A better workaround is the following (taken from Eric Berg’s blog)…

Continue reading