Hello,
Our team is new to using InsightVM and one of the selling points for our team was to ease the automation of patch management. We are currently experiencing and issue with the integration of SCCM and InsightVM.
Things we have done:
- Created and activated the orchestration server using the OVF file provided by R7
- Added an AD service account with local admin privileges to the primary SCCM server
- Added the service account to the SCCM console and granted the following permissions
Collection
Create
Modify
Modify Resource
Read
Read Resource
Remote Control
Software Update Group
Create
Modify
Read - Verified WinRM is listening on ports 5896 and 5895
- Tested WinRM with PSEXEC.exe
Excerpt from the error message is:
Connect: Connecting... rapid7/Microsoft SCCM:2.0.4. Step name: add_devices_to_collection Connection test failed! There is likely an issue with the connection details, or the plugin can not communicate via WinRM on the SCCM host. An error occurred while fetching the SCCM site based on site path: <SITE NAME>, please review the error for additional details: the specified credentials were rejected by the server Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/winrm/transport.py", line 278, in _send_message_request response.raise_for_status() File "/usr/local/lib/python3.7/site-packages/requests-2.22.0-py3.7.egg/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 401 Client Error: for url: https://<IP>:5986/wsman During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/microsoft_sccm_rapid7_plugin-2.0.4-py3.7.egg/komand_microsoft_sccm/connection/connection.py", line 26, in test run_script = util.powershell(self, script, self.logger, False) File "/usr/local/lib/python3.7/site-packages/microsoft_sccm_rapid7_plugin-2.0.4-py3.7.egg/komand_microsoft_sccm/util/util.py", line 37, in powershell run_script = powershell_session.run_ps(script) File "/usr/local/lib/python3.7/site-packages/winrm/__init__.py", line 50, in run_ps rs = self.run_cmd('powershell -encodedcommand {0}'.format(encoded_ps)) File "/usr/local/lib/python3.7/site-packages/winrm/__init__.py", line 37, in run_cmd shell_id = self.protocol.open_shell() File "/usr/local/lib/python3.7/site-packages/winrm/protocol.py", line 157, in open_shell res =
We opened a ticket with R7, but they simply said there is a permissions issue. I don’t how we can grant the service account more permissions than local admin and the SCCM permissions in the documentation. We haven’t given the service account domain admin, and I am hopeful that is not required since that would be a major security risk.
Any help would be greatly appreciated.