Thursday, February 17, 2011

SCOM: Account specified in the Run As Profile cannot be resolved - Troubleshooting using SSID

Update for SCOM 2012: SCOM 2012 does have a cmdlet for getting RunAs profiles: Get-SCOMRunAsProfile. As one of the commenters below added, if you want to get the SSID's in SCOM 2012, then use the cmdlet 'Get-SCOMRunAsAccount'.
Get-SCOMRunAsAccount | Sort Name | % {$string = $null;$_.SecureStorageId | % { 
 $string = $string + "{0:X2}" -f $_}
 $_.Name;" $string"
}

Written for SCOM 2007...
Update:
#Don't forget to add the OM2007 snapin
add-PsSnapIn "Microsoft.EnterpriseManagement.OperationsManager.Client" 
New-ManagementGroupConnection -ConnectionString:"scommssrv"
set-location "OperationsManagerMonitoring::" 

Some management packs require configuration of Run As Profiles.
This means that you configure associations between classes/objects and Run As Accounts. Whenever a workflow from a management pack is instructed to use a Run As Profile it will only work when the targeted class or object of the workflow is associated with an account. And last but not least, the Run As Account should be distributed to the servers on which that class exists.

This blogs shows you some tips on how to troubleshoot alerts associated with these kind of things.

When you misconfigure the Run As Profile, the following alert can popup in your console:
Account specified in the Run As Profile ">RunasAccountProfile<" cannot be resolved.

With some extra info:

Management Group: ###
Run As Profile: Company.Product.Role.Application.ActionAccountProfile
Account SSID: 0025F224C5251A6F4EEE112ACD9F0EB07D9178AFB500000000000000000000000000000000000000


This alert tells you that you associated the runas account, but the agent that tries to use the account, did not actually receive the account credentials.
So either you add the server to the distribution list, or you reconfigure the runas profile associations with beter classes/objects.

But he! I can't find the specified Run As Profile 'Company.Product.Role.Application.ActionAccountProfile'. That's right. That's the Name property shown in the description. If you want to find the Run As Profile as it's showed in the Operations Console, you will need the DisplayName. For that we could use the Operations Manager Shell:
Get-RunAsProfile ... oh, that cmdlet does not exist :(

What more does the alert message say? This is interesting:
Note: you may use the command shell to get the Run As Account display name by its SSID"

We could use the SSID from the alert message. The Ops Mgr Shell does have a cmdlet for showing the Run As Accounts.
The only problem we have here, is that the SSID mentioned in the alert description is a string type value. Cmdlet Get-RunAsAccount shows us that the SSID is stored as a byte array in the property SecureStorageId. So we can't compare these types.

For that i've created this script. It gets all Run As Account, formats the byte array SecureStorageId property to a readable string, and show the Run As Account DisplayName with it's SSID.
Get-RunAsAccount | Sort Name | % {$string = $null;$_.SecureStorageId | % { 
 $string = $string + "{0:X2}" -f $_}
 $_.Name;"  $string"
}

PowerShell does not have built-in functions for formatting numbers, therefore you can use the .Net formatting methods.

With this in mind you could add a string comparison to only show a match when the Alert Message SSID correspands with the SecureStorageId string ($string).
If you need help with that, leave a message.

12 reacties:

jasony.8826 said...

any idea on how we can use ApproveCredentialForDistribution in powershell to add the distribution of the account?

Michiel Wouters said...

@jasony.8826
I haven't done this before. After reading about the method you mentioned, i think you'll need the following.

Syntax: .ApproveCredentialForDistribution(securedData, healthServiceList

*A Management Group object. This object holds the method.
(Get-ManagementGroupConnection).ManagementGroup

*An iSecureData object. I dont know exactly how to use this. I think Get-RunAsAccount returns objects of a class that inherits an implementation of iSecureData. If this doesn't work you could try the method GetMonitoringSecureData.

* An object list(healthServiceList). This is a list of monitoring objects. So here you could use Get-MonitoringObject with a class criteria.
$MonitoringClass = Get-MonitoringClass -Name "Microsoft.SystemCenter.HealthService"

Maybe I can find some time in the future to figure this out completely. You could try systemcentercentral.com, the Microsoft forums or one of the OpsMgr programmers.

ernestbrant said...

Hello

Thanks for this Brilliant Blog, your script above worked find, I adjusted a little to give me the Run As Account display name by entering the SSID as parameter when running the the script as follows

param([Parameter(Mandatory=$true,HelpMessage="Please enter the SSID")][string]$SSID)


Get-RunAsAccount | Sort Name | % {$string = $null;$_.SecureStorageId | % {
$string = $string + "{0:X2}" -f $_}

$RunAsAccountName = $_.Name
[string]$RunAsAccountSSID = $string
if ($SSID -match $RunAsAccountSSID) {write-host "The Run As Account is .. $RunAsAccountName"}
}

Thanks again for this great blog

Ernie

Thief_ said...

In SCOM 2012, the command is now:

Get-SCOMRunAsAccount | Sort Name | % {$string = $null;$_.SecureStorageId | % {
$string = $string + "{0:X2}" -f $_}
$_.Name;" $string"
}

Devin Greco said...

If you could be so kind as to help a total noob out, how exactly do I get this script to run? Do I save it in Notepad as .ps1 file and run it in OM shell? I can't seem to get it to execute in Scom2007R2 using that method.

Michiel Wouters said...

@Devin Greco.

You cab just copy/paste the script and execute it in the OpsMgr Command Shell.

Or copy the script contents to a .ps1 file and then execute that file from the Operations Manager Command Shell.
& "c:\script\yourscript.ps1".

This will not work from an ordinary Powershell console unless you load the Operations Manager snapin.
This will not work from a ordinary Powershell console unless you loaded the Operations Manager

Devin Greco said...

Thanks for your help. I don't know what the heck I did wrong, but I swear I that before it didn't work. I tried it again today and it worked perfectly. Keep up the great blog!

Mariusz Bryniewicz said...

Good one! Great blog. Thanks for the script. It's been a great help to figure out RunAsAccount by SSID.

Mariusz

Dominique said...

Hello,
I am getting an error for the path !!

PS C:\users\rmppqx\desktop
>./SSID-2007.ps1

when prompted for SSID I entered:
00707C686769F3C0C9897403644020F428FEC723C300000000000000000000000000000000000000

and got:

Get-RunAsAccount : The 'Path' parameter is empty or the required provider locat
is not set."
At C:\users\rmppqx\desktop\SSID-2007.ps1:4 char:1
+ Get-RunAsAccount | Sort Name | % {$string = $null;$_.SecureStorageId | % {
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:String) [Get-RunAsAccount], Ar
entOutOfRangeException
+ FullyQualifiedErrorId : InvalidParameter,Microsoft.EnterpriseManagement.O
ationsManager.ClientShell.GetRunAsAccountCmdlet

What should be the path parameter? What di I do wrong?

Thanks,
Dom

Michiel Wouters said...

@Dominique, when you use this script on a 2012 environment, but want to use the 2007 cmdlets, you have to add the OM2007 snap-in manually.

add-PsSnapIn "Microsoft.EnterpriseManagement.OperationsManager.Client"
New-ManagementGroupConnection -ConnectionString:
set-location "OperationsManagerMonitoring::"

Equerm said...

Hi,

I did some small changes to the code, this version returns a PSCustomObject. It's on pastebin if you're interested

https://pastebin.com/h2MEAEwF

Michiel Wouters said...

@Equerm great work!

Post a Comment