SCCM spoke or Microsoft Endpoint Configuration Manager spoke fails with Authentication issuesIssue Spoke actions fail with the following errors: Invalid credential for SCCM, system exceptionPowerShell script execution failed. Script returned status 1 using account user {username}Failed while executing ActionGetApplications.ps1 (Access denied), Failed while executing ActionAddToUserCollection.ps1 (Access denied), or similar error for any other mid server script file used in the spoke.Cannot find path 'C:\Users\username\Documents\:\' because it does not exist.Access denied. Script returned status 3 using account local MID server service credentialAuthentication failure with the local MID server service credential.CauseThe authentication failure could occur due to one of the following reasons: MID server unable to communicate to the target serverInsufficient rights provided to the user accountPSDrive not mountedExecution policy set to restricted modeDouble hop problem To reproduce authentication failure from MID Server, run the following script from PowerShell: $computer = "FQDN of the target SCCM/MECM Server"; $cred = get-credential; #put in the Windows Credential when prompted $session = New-PSSession -ComputerName $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred; Invoke-Command -Session $session -ScriptBlock { Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1" Set-Location -path "$(Get-PSDrive -PSProvider CMSite):\”; Get-CMApplication | Select-Object -First 1 } If observing intermittent failures, run above scripts repeatedly on MID server to reproduce the failure.ResolutionVerify connection from MID server to target server: Make sure that user is able to connect to the target server using MID server. To test that: Navigate to the windows credentials which are being used for integration and click "Test Credential".Provide target server's Fully Qualified Domain Name (FQDN) or IP, select the MID server and click "OK" to run the test.It should return the following output: If it fails with "Authentication failed" error, make sure you verify the following configuration: Confirm the firewalls of the source device, target device, and network, are not blocking the connection on port 135, or one of the dynamic ports. Troubleshoot communication issue between MID server and target server Verify username and password details. User should be an administrator or part of "Remote Management Users" group on the target server/machine Verify user has SCCM/MECM specific rights and PSDrive is mounted: User has "Application Administrator" role provided on SCCM/MECM server or if you want to configure custom roles, make sure user has - read access to applications, deployments, read and write access to collections.Mounting PSDrive: Log into SCCM or Microsoft Endpoint Configuration Manager console.Open the menu from the upper left corner of the console and select Connect via Windows PowerShell.Ensure that the user can access the configuration manager console. This action establishes the environment path to PowerShell for the logged in Application Administrator user. Note: If you are using Microsoft Endpoint Configuration Manager Spoke and consuming actions which deal with objects other than applications, deployments and collections, user will need additional access. Provide the required access based on actions being consumed. Microsoft Endpoint Configuration Manager Spoke Verify execution policy is not restricting access: Run "Get-ExecutionPolicy" on MID server and SCCM/MECM server.Verify that the returned mode allows PowerShell scripts (.ps1 files) to run. e.g. you can set it using: Set-ExecutionPolicy Unrestricted Double hop problem: Following are the signs that underlying cause for authentication failure is double hop problem: Scripts/actions failing intermittentlyScripts working from mid server directly but not from ServiceNow instance, or working from 1 mid server but not from the other one Microsoft Articlehttps://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/ To resolve double hop problem, follow the following steps: In order to make it work, please review below Microsoft Doc, which provides a few options to workaround the second hop situation: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.1 To use the option: "PSSessionConfiguration using RunAs" On the SCCM/MECM server, run below PowerShell command to register new session configuration: Register-PSSessionConfiguration -Name sccm -RunAsCredential lab02\administrator -MaximumReceivedDataSizePerCommandMB 1000 -MaximumReceivedObjectSizeMB 1000 Note:> replace the username with the actual credential.> this configuration should remain effective after server/service restart Once above is done: Then on your ServiceNow instance, navigate to MID Server > Script Files and open one of the following file as applicable: For workflows (orchestration SCCM pack) - SCCM.psm1For SCCM spoke - SCCMMain.psm1For Microsoft Endpoint Configuration Manager Spoke - MicrosoftEndpointManagerMain.psm1 Modify following line: from: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential; to: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName sccm -Credential $credential; Also for another script file: Credentials.psm1 (the one with parent as PowerShell, you may also need to turn off Business Rule: "Prevent Duplicate,Spaces & Colon in name" temporarily)locate function testCredentialSCCM, and modify below line from: $session = CreatePSSessionWithComputerName -Host $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred; to: $session = New-PSSession -ComputerName $computer -ConfigurationName sccm -Credential $cred; To use the option: "CredSSP" run Enable-WSManCredSSP command on MID server host, and Enable-WSMaCredSSP on target SCCM, in order to enable CredSSP.Please refer to the Microsoft article below which has very detailed solution and a flow chart which makes it easier to understand where and how to apply these commands: https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/ Then on your ServiceNow instance, navigate to MID Server > Script Files and open one of the following file as applicable: For workflows (orchestration SCCM pack) - SCCM.psm1For SCCM spoke - SCCMMain.psm1For Microsoft Endpoint Configuration Manager Spoke - MicrosoftEndpointManagerMain.psm1 modify below line- from: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential; to: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential -Authentication CredSSP; Also for another script file: Credentials.psm1 (the one with parent as PowerShell, you may also need to turn off Business Rule: "Prevent Duplicate,Spaces & Colon in name" temporarily), locate function testCredentialSCCM, and modify below line from: $session = CreatePSSessionWithComputerName -Host $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred; to: $session = New-PSSession -ComputerName $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred -Authentication CredSSP;