SCOM / SCSM – Retrieve Decrypted RunAs Account Credentials

password-ftr

I am not sure if you have seen it, but Richard Warren from nccgroup has figured out, how to decrypt the RunAs account credentials in SCOM. The problem up to now was, that there was no official way to retrieve the encrypted credentials from SCOM. There is just one DLL to use, which offers the decrypt method. He has written a EXE and a PowerShell script on Github . I know there are always two sides of the medal. In this case an evil and a good way of using this knowledge. I think I don’t have to talk about the evil way, instead I would like to talk about its benefit.

Richard Warren has used it for SCOM RunAs accounts, but if you think about it Service Manager (SCSM), which is based on the same framework, therefore I was curious if this approach also works for SCSM. In fact it did! Why is this awesome? Well, think about it. We are able to “securely” store credentials in SCSM (or SCOM) using RunAs accounts. Now we are able to retrieve those credentials easily. Because I do a lot of automation in SCSM using service requests and itnetX PowerShell activities I always had some trouble to store credentials in a save manner. There are many ways to do so, like exporting the credentials into XML (Export-CliXML) , using certificates , encrypting the credentials using a key and store it somewhere like here or maybe you could store the credentials in SMA and retrieve it using PowerShell. Whatever method you are going to use, you will end up with more or less problems. The best approach would be, to store the credentials on the system where you need it (SCSM) and the SCSM administrator can manage these accounts without to dig into PowerShell code or certificates etc. Therefore RunAs accounts are a perfect way for storing credentials.

Because of that, I have used Richard’s sample, modified the code a bit to be able to use it on SCOM and SCSM and also return proper output. The PowerShell module will return the a credential hash table. You need to execute the module on the SCOM or SCSM management server and the only parameter you need to provide is the SCOM RunAs account display name like in this example.

In SCOM the RunAs account looks like this…

image

…and if you use the PowerShell module it works like this…

image

You can download the module from PowerShell Gallery . Be aware of the fact, that you need permission to access the database and management server.

Continue reading

WAP – Get Windows Azure Pack Websites via PowerShell

image

Windows Azure Pack was Microsoft’s first attempt to bring Azure into your on-premise datacenter. The things you can do with it are limited to IaaS VM, PaaS databases and PaaS websites. In addition there is Service Bus and some networking part which is necessary for the IaaS / PaaS services. Of course there are other required parts, like Service Provider Framework (SPF), SC Virtual Machine Manager etc. Because my job is to automate things using PowerShell, I have sometimes the need to get data out of systems like in this case WAP as my data source. If you look a bit closer at WAP and you want to get information about configured SQL databases or MySQL databases there is a rich set of PowerShell cmdlets available and these modules are installed on the WAP admin servers…

image

…so what you could do is use PowerShell remoting and query these server for information. If you want to get information about provisioned VM’s you simply could query VMM using its own cmdlets to gather information.

One other way you could get information out of WAP, is to use the Public Tenant API. This API provides information about tenant specific information, therefore you need to provide a subscription to get detailed information about that specific tenant. MVP Ben Gelens has written a fantastic PowerShell module to get all sorts of information from the WAP Public Tenant and WAP Admin API you can find the module here https://github.com/bgelens/WAPTenantPublicAPI . I have tested it and it works like a charm.

So but what is now the point of this post? Well, so far we have seen, that we can get information about SQL Server and MySQL databases using these PowerShell cmdlets using the Admin API, for VM’s use VMM as a data source, but what about websites? There are also modules installed on the web controller servers itself, e.g. the WebSites module…

image

…and the WebSiteDev module…

image

…to get infos about websites from the system just use these cmdlets above.

One more elegant way to pull website information is going through the endpoint REST API (Web Site Cloud REST Endpoint) which you need to provide when adding the website resource to the admin portal. It depends how you configured, it but as an example you can find the settings you configured on the web controller server you could execute the Windows Azure Pack Websites MMC and find all different settings…

Continue reading

SCSM 2016 / SCOM 2016 – SCOM 2016 Console Crashes After SCSM 2016 Console Installation

boom

Have you ever installed System Center Service Manager 2016 and System Center Operations Manager 2016 console on the same system? Depending on the installation order, the SCOM console will crash with multiple errors like this…

image

…and the console will appear empty or crash totally. We had the case, that the SCOM console was installed first and the SCSM console afterwards. It is a known issue and MVP Eric Berg as blogged about it in German, check his post here.

Because this error has massive impact and I was also affected by this nasty bug I will re-write it in English and pimp this post with some nice screenshots :).

The problem is the Analysis Management Objects (AMO) 2014 package which is being installed by the SCSM 2016 console installation. What you could do, is uninstalling the Analysis Management Objects (AMO) 2014 package and run a repair installation of the SCOM console.

image

A better workaround is the following (taken from Eric Berg’s blog)…

Continue reading

Experts Live Switzerland 2017 – Speaker

image

I am very proud to be speaking at Experts Live Switzerland 2017. I will have a talk together with my buddy Jonas Feller from itnetX. We both have gained a lot of experience in the past, doing on-premise automation projects and this is also the title of our session

“On-premise Automation using System Center Service Manager (SCSM), Service Management Automation (SMA) and PowerShell”

We will highlight some conceptual aspects, but also show some technical automation kung fu kicks you might want to be aware of. In addition we will discuss some approaches and tools, which can avoid some headache and trouble. The event takes place May 17th in Bern, so save the date and hopefully you join our session. The session is held in German.

What is Experts Live Switzerland and how does it fit into the entire Experts Live stack?

Continue reading

User Group – IT Pro Switzerland Experts Live Cafe

I had been very busy recently organizing a new user group event. It isn’t just a user group, it is a part of the Experts Live network. What is “Experts Live Café”? The idea of Experts Live Café is, to get community members together and share know-how, get latest technology insides,  socializing, networking and having a good time. There will be 2 sessions organized per event held by anyone who has an interesting project to share or wants to talk about Microsoft (but not only) technologies. Because it is part of the Experts Live network, there will be some interesting news / concepts behind in the near future.

image

Together with my MVP buddy Stefan Johner we run these café events and we try to find sponsors to offer the community members free drinks and snacks in a cozy location. We are proud to have Microsoft Switzerland as our first sponsor on board –  big THANK YOU!

Our goal is to run at least 3 such events in 2017. Our first event takes place in Bern, Switzerland April 7th from 4:00 pm until 7:00 pm. The first session will be about a Windows 10 rollout at a big Swiss insurance company, the second session needs to be defined. So if you are interested in this event, please check the website at http://itproch.expertslive.cafe/ and follwow us on Twitter @ExpertsLiveCafe, hope to see you there. The site will be updated in the upcoming weeks, to reflect the latest information, so stay tuned!

OMS – Error "Run Login-AzureRMAccount to Login" e.g. OMS Cmdlets

error-red-key-595x335

I wanted to play with the OMS cmdlets which are part of the AzureRM modules. The OMS / OperationsInsights module itself is called AzureRM.OperationsalInsights. A good place to start with OMS native PowerShell cmdlets is a blog post on the Building Clouds blog. So what is the exact issue? Well, I tried to query my workspace for installed solutions. First I logged in using the Login-AzureRmAccount  cmdlet which succeeded quite nicely..

image

…after I authenticated I ran a cmdlet to get the solutions from OMS…

image

..no matter which cmdlet I tried, I always received the error above.

After some time, I tried to update the modules, running Update-Module which ended in this error…

image

Next step, I tried to install the entire ARM modules by running Install-Module AzureRM –AllowClobber, which ended in a similar error…

image

Continue reading

SMA Authoring Toolkit – Some Runbooks Are Not Showing Up

untitled

When you are creating runbooks in SMA (Service Management Automation) and you are using the SMA Authoring Toolkit available on PowerShell Gallery, you might have also have faced a very annoying bug. If you have a certain amount of runbooks in SMA and you are browsing through the runbook list in ISE you simply cannot find certain runbooks. Trying to refresh the list does not work at all.

image

If you open SMA to browse the runbook list you can see them all published and in a “healthy” state. So there is no reason not to show up.

Continue reading