cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
856
Views
5
Helpful
3
Replies

Privileges and queries for ISE-SCCM integration

Peter Koltl
Level 7
Level 7

We are troubleshooting an ISE-SCCM integration issue. The SCCM settings have been applied according to the ISE Administration guide (double checked by SCCM admin). ISE shows successful connection but is unable to access data in SCCM for any workstation.

 

We followed these step-by-step guides:

Configure the Microsoft SCCM Server for ISE

 

https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035#_Toc526701135

 

 

The guide states that

The user account that you use for ISE integration must either:

  • Be a member of SMS Admins user group.

  • Have the same permissions as the SMS object under the WMI namespace

root\sms\site_<sitecode>

where sitecode is the SCCM site.

 

SMS Admins is an AD group that provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying SMS security objects and data in the SMS Administrator console, or in other similar tools. Members can run WMI queries but they have no explicit read access to the MSSQL database so they cannot run WQL queries. Such users are able to access the data via the WMI provider and they have access to the WMI namespace.

 

However, there is a role in SCCM having even more privileges:    SCCM Full Administrator role. A full admin is able to run both WMI and WQL queries as he/she has explicit read access to the MSSQL database. Not surprisingly, the person responsible for SCCM prefers not to give this privilege if the Cisco guide does not indicate.

 

The Cisco guide does not require that the ISE user should be a Full Administrator in SCCM. The guide does not include a step that we should give the user explicit read access to the MSSQL database.

 

Questions:

  • Is it correct that the integration user needs rights to run only WMI queries?

The Troubleshooting section describes a testing method with WBEMTOOL which uses WQL query. Our user is unable to fetch data via WQL query as it is not a Full Administrator.

  • Is it correct in the guide that membership in SMS Admins is enough and the integration user does not need SCCM Full Administrator role?
  • Is it correct that the integration user does not need explicit read access to the MSSQL database to run WQL queries?

i23.jpg

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

As far as I'm aware, SCCM integration with ISE only requires WMI.  I've asked a colleague to provide addition information.

 

Regards,

-Tim

Nidhi
Cisco Employee
Cisco Employee

ISE uses WMI to query the SCCM database and hence the user has to be part of SMS admin. This is enough and you dont need any specific permission for SQL queries. 

The guide has a snapshot of WMI query sent to SCCM server to check the compliance status. 

Thanks,

Nidhi

 

Peter Koltl
Level 7
Level 7

WMI query and SMS Admins are enough actually.

 

The failure is caused by the over-complex factory WMI query in ISE. It cannot be served in 30 seconds by SCCM server and the too long response times caused policy evaluation failure in iSE.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: