- OC Scanner is placed on a server that can access the Sharepoint server over the network.
- OC Scanner scan file is created on the OC Configurator server, with the appropriate credentials/IP/FQDN, and Scheduler details.
- Remote Sharepoint scan requires credentials to be entered in the scan file.
- User account that is running the scan, has permissions on the Sharepoint server software itself.
- CredSSP Authentication is enabled on both the OC Scanner server and the Sharepoint server itself.
-
Setting the correct scan user permissions
- Login to the Sharepoint server, as an existing Sharepoint Administrator.
- Open the Sharepoint Management shell.
- On the Sharepoint Management shell execute the following Powershell script:
$allFarmWebApplications = Get-SPWebApplication
foreach($webApplication in $allFarmWebApplications)
{
$w = Get-SPWebApplication $webApplication.Url;
$w.GrantAccessToProcessIdentity("DOMAIN\\USER")
}
To execute the above script save it as a .ps1 file, switch to the folder containing the script, and execute ./ps-script.ps1 (example script name). The DOMAIN\USER in the script should be replaced by the user account which is running the scan. The given script will assign the correct Sharepoint permissions to the user account running the scan, so it can enumerate the Sharepoint users on the given server.
-
Enable CredSSP Authentication
- On the Sharepoint Server, run the following Powershell command, under an Administrator account:
- Enable-WSManCredSSP -Role "Server"
- On the OC Scanner Server, run the following Powershell command, under an Administrator account:
- Enable-WSManCredSSP -Role "Client" -DelegateComputer "server.domain.com”
- server.domain.com should be replaced by the real Sharepoint server FQDN.
- After the above steps, run the OC scanner as usual, and the Sharepoint users should be present in the SPLA reports.
- Further CredSSP info can be found in this article.