SCCM spoke or Microsoft Endpoint Configuration Manager spoke fails with Authentication issues - Support and Troubleshooting

SCCM spoke or Microsoft Endpoint Configuration Manager spoke fails with Authentication issues Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Spoke actions for SCCM or Microsoft Endpoint Configuration Manager fail with one of the following authentication errors:

"Invalid credential for SCCM, system exception" "PowerShell script execution failed. Script returned status 1 using account user {username}" "Failed while executing ActionGetApplications.ps1 (Access denied)" or similar error for other MID Server script files "Cannot find path 'C:\Users\username\Documents:' because it does not exist." "Access denied. Script returned status 3 using account local MID server service credential" "Authentication failure with the local MID server service credential." Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All supported releases

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Authentication failures can occur for one of the following reasons:

MID Server cannot communicate with the target server User account has insufficient rights PSDrive is not mounted Execution policy is set to restricted mode Double hop problem (credential delegation issue) Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Work through the following sections to identify and resolve the authentication failure.

Reproduce the authentication failure To reproduce the authentication failure from the MID Server, run the following script in PowerShell:

$computer = "FQDN of the target SCCM/MECM Server";

$cred = get-credential; #put in the Windows Credential when prompted

$session = New-PSSession -ComputerName $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred;

Invoke-Command -Session $session -ScriptBlock {

Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1"

Set-Location -path "$(Get-PSDrive -PSProvider CMSite):\";

Get-CMApplication | Select-Object -First 1

}

For intermittent failures, run the script repeatedly on the MID Server to reproduce the issue.

Verify MID Server can connect to target server Go to the Windows credentials record used for the integration. Select Test Credential . Enter the target server's Fully Qualified Domain Name (FQDN) or IP address. Select the MID Server and select OK .

If the test succeeds, the output shows a successful connection. If the test fails with "Authentication failed", verify the following:

Firewalls on the source device, target device, and network are not blocking port 135 or the dynamic ports. See the product documentation on troubleshooting MID Server communication issues. User name and password are correct. User is an administrator or member of the "Remote Management Users" group on the target server. Verify user has SCCM/MECM rights and PSDrive is mounted The user account must have appropriate SCCM/MECM permissions:

Application Administrator role on the SCCM/MECM server, OR Custom role with read access to applications and deployments, and read/write access to collections Note: If you use Microsoft Endpoint Configuration Manager Spoke actions that work with objects other than applications, deployments, and collections, the user needs additional access based on the actions being consumed. See the product documentation for Microsoft Endpoint Configuration Manager Spoke.

Mount the PSDrive:

Log in to the SCCM or Microsoft Endpoint Configuration Manager console. Open the menu from the upper left corner and select Connect via Windows PowerShell . Verify the user can access the Configuration Manager console. This action establishes the environment path to PowerShell for the Application Administrator user.

Verify execution policy allows PowerShell scripts On the MID Server and SCCM/MECM server, run: Get-ExecutionPolicy If the policy restricts PowerShell scripts (.ps1 files), change it: Set-ExecutionPolicy Unrestricted

Resolve double hop problem The double hop problem occurs when credentials cannot be delegated from the MID Server to the target server. Signs of this issue include:

Scripts or actions fail intermittently Scripts work directly from the MID Server but not from the ServiceNow instance Scripts work from one MID Server but not another Choose one of the following options to resolve the double hop problem.

Option 1: PSSessionConfiguration using RunAs

On the SCCM/MECM server, run the following PowerShell command to register a new session configuration:

Register-PSSessionConfiguration -Name sccm -RunAsCredential lab02\administrator -MaximumReceivedDataSizePerCommandMB 1000 -MaximumReceivedObjectSizeMB 1000

Replace domain\username with your actual credential. This configuration persists after server or service restart. In ServiceNow, go to MID Server > Script Files and open the applicable file: For workflows (Orchestration SCCM pack) : SCCM.psm1 For SCCM Spoke : SCCMMain.psm1 For Microsoft Endpoint Configuration Manager Spoke : MicrosoftEndpointManagerMain.psm1 Locate the following line: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential;

Change it to: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName sccm -Credential $credential; Open the Credentials.psm1 script file (the one with parent PowerShell). Note: You may need to temporarily deactivate the business rule "Prevent Duplicate, Spaces & Colon in name" to edit this file. Locate the function testCredentialSCCM and find the following line: $session = CreatePSSessionWithComputerName -Host $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred; Change it to: $session = New-PSSession -ComputerName $computer -ConfigurationName sccm -Credential $cred;

Option 2: CredSSP

On the MID Server host, run the Enable-WSManCredSSP command. On the target SCCM server, run the Enable-WSManCredSSP command. See the Microsoft article on enabling PowerShell second hop functionality with CredSSP for detailed instructions and a flowchart. In ServiceNow, go to MID Server > Script Files and open the applicable file: For workflows (Orchestration SCCM pack): SCCM.psm1 For SCCM Spoke: SCCMMain.psm1 For Microsoft Endpoint Configuration Manager Spoke: MicrosoftEndpointManagerMain.psm1 Locate the following line: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential; Change it to: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential - Authentication CredSSP; Open the Credentials.psm1 script file (the one with parent PowerShell). Note : You may need to temporarily deactivate the business rule "Prevent Duplicate, Spaces & Colon in name" to edit this file. Locate the function testCredentialSCCM and find the following line: $session = CreatePSSessionWithComputerName -Host $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred; Change it to: $session = New-PSSession -ComputerName $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred -Authentication CredSSP;

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Microsoft Endpoint Configuration Manager Spoke (product documentation)

Troubleshooting MID Server communication issues

PowerShell Remoting: Making the Second Hop (Microsoft documentation)

Enable PowerShell Second Hop Functionality with CredSSP (Microsoft DevBlogs)