Creating and mapping scanning credentials

Scanning credentials are login/password combinations and certificates/keys used by your Lansweeper installation to remotely access and scan network assets. The following assets require a scanning credential in order to be scanned remotely: Linux, Unix, Mac and Windows computers, VMware and vCenter servers, Citrix XenServers, network devices (printers, switches...) that have SNMP enabled, AWS and Azure cloud assets, Office 365 accounts. Windows computer credentials are also used when deploying packages on computers.

Your Lansweeper installation allows you to submit an unlimited number of scanning credentials. Scanning credentials are managed in the following section of the web console: Scanning\Scanning Credentials

Scanning Credentials menu
Scanning credentials must be created and then mapped, so Lansweeper knows when to use them. If you map a Windows credential to a domain for instance, Lansweeper will try to use that credential for any Windows computer within that domain.
Linux, Mac and Windows computers can be scanned locally as well, with a scanning agent. Linux and Mac can be scanned with LsAgent, while Windows can be scanned with LsAgent or the older LsPush scanning agent. If you scan your computers exclusively with an agent and don't use the deployment module, you do not need to submit computer scanning credentials.

Creating scanning credentials

To create a credential, hit the Add new Credential button in the Scanning\Scanning Credentials section of the web console. There are various types of credentials:

  • AWS credentials (added in Lansweeper 7.1)
    Amazon Web Services credential
    - Used for scanning: AWS VPCs and instances
    - Must have: list-only programmatic access to your EC2-VPC environments. Info on how to set this up can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Access key: access key ID of the user with list access to EC2
    - Secret key: secret access key of the user with list access to EC2
  • Azure credentials (added in Lansweeper 7.1)
    Microsoft Azure credential
    - Used for scanning: Azure resource groups and virtual machines
    - Must have: read-only access to your Azure subscription. You must register an application in Azure Active Directory of the type Web App / API, generate a key for it and assign it the Reader role for your subscription. Info on how to set this up can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Directory ID: your Azure Active Directory (tenant) ID
    - Application ID: ID of the application with read access to your subscription
    - Application password: password/key of the application with read access to your subscription
  • Citrix credentials (added in Lansweeper 7.0)
    Citrix XenServer credential
    - Used for scanning: Citrix XenServers
    - Must have: access to XenAPI and be able to run the following command groups on your XenServers: delegating, drivers, locate, networking, processes, services, software, storage. Full root access is not required. Info on how to configure Citrix credentials can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Login: your Citrix login
    - Password: your Citrix login's password
  • Intune credentials (added in Lansweeper 7.1)
    Microsoft Intune credential
    - Used for scanning: Android, iOS (iPhone and iPad) and Windows Phone mobile devices enrolled in Microsoft Intune. When you submit an Intune credential, an Intune scanning target is automatically created as well.
    - Must have: access to your Intune environment. You must register an application in Azure Active Directory of the type Native and grant it the DeviceManagementManagedDevices.Read.All permission under Microsoft Graph. Your user account must also have access to Intune. Info on how to set this up can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Username: user with the ability to view devices in your Intune environment
    - Password: user's password
    - Application ID: ID of the application with the DeviceManagementManagedDevices.Read.All permission
  • Office 365 credentials (added in Lansweeper 7.1)
    Office 365 credential
    - Used for scanning: Office 365 accounts. When you submit an Office 365 credential, an Office 365 scanning target is automatically created as well.
    - Must have: administrative permissions to Office 365 to be able to inventory all contacts, mailboxes and ActiveSync devices. A global administrator is guaranteed to have sufficient rights.
    - Name: custom name you can assign to the credential
    - Login: user (email address) with administrative permissions to your Office 365 environment
    - Password: user's password
  • SNMP(v1/v2) credentials
    SNMPv1 or SNMPv2 credential
    - Used for scanning: network devices that have SNMPv1 or SNMPv2 enabled
    - Must have: read-only SNMP access to your devices
    - Name: custom name you can assign to the credential
    - Community: the (case-sensitive!) SNMP community string used by your devices. Many network devices use public and private as their default SNMP community strings, public being for read-only access and private for read/write access. Your devices could be using custom strings, however.
    - Use SNMP(v1)/Use SNMP(v2): optionally, uncheck one of these boxes to have Lansweeper only try SNMPv1 or SNMPv2. Unchecking one of these boxes is generally only recommended if your devices have trouble processing SNMPv1 or SNMPv2 requests.
  • SNMP(v3) credentials
    SNMPv3 credential
    - Used for scanning: network devices that have SNMPv3 enabled
    - Must have: read-only SNMP access to your devices
    - Name: custom name you can assign to the credential
    - Login: your SNMP login
    - Password: your SNMP login's password
    - Encryption key: encryption key required if authentication type is set to MD5 or SHA1
    - Authentication type: None, MD5 or SHA1
    - Privacy type: None, DES, AES 128, AES 192, AES 256 or Triple DES
  • SSH credentials
    SSH credential
    - Used for scanning: Linux, Unix and Mac computers
    - Must have: access to the uname (Linux/Unix) or system_profiler (Mac) command. More info on Linux/Unix scanning requirements can be found in this knowledge base article and more info on Mac scanning requirements can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Login: your SSH login
    - Password: your SSH login's password
  • SSH certificate credentials
    SSH certificate credential
    - Used for scanning: Linux and Unix computers
    - Must have: access to the uname command. More info on Linux/Unix scanning requirements can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Login: your login
    - Passphrase: your passphrase, if there is one
    - Private SSH key: your SSH key. Sample inputs can be seen in the info popup when hovering over the question mark icon.
    - Sudo Password: your sudo password
  • vCenter credentials (added in Lansweeper 7.0)
    vCenter server credential
    - Used for scanning: vCenter servers
    - Must have: read-only access to your vCenter servers. Info on how to set this up can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Login: your vCenter login
    - Password: your vCenter login's password
  • VMware credentials
    VMware credential
    - Used for scanning: VMware servers
    - Must have: read-only access to your ESXi servers
    - Name: custom name you can assign to the credential
    - Login: your VMware login
    - Password: your VMware login's password
  • Windows credentials
    Windows domain credential
    Windows local credential
    - Used for scanning: Windows computers and users
    - Must have: administrative permissions on your computers and, for scanning domain computers and users, read-only access to Active Directory. A domain admin can be used to scan a domain, but has more permissions than required. More info on Windows domain scanning requirements can be found in this knowledge base article and more info on Windows workgroup scanning requirements can be found in this knowledge base article.
    - Name: custom name you can assign to the credential
    - Login: a down-level logon name like NetBIOS domain name\username (domain credentials) or a user principal name (UPN) like username@yourdomain.local (domain credentials) or .\username (local credentials) or username@outlook.com (Microsoft accounts)
    - Password: your user account's password

Mapping scanning credentials

To map a credential, hit the Map Credential button in the Scanning\Scanning Credentials section of the web console. You can select multiple credentials at once. Credentials are tried in the order you see them. In the example below, Lansweeper will first try the Window domain credential and then the local credential. You can change the order in which credentials are tried by grabbing (left-click and hold) a credential in the Credentials column and dragging it to a new position.

mapping credentials
The only credentials that don't need to be mapped are global credentials. Global credentials are tried for any asset of the specified type, if all other credentials of the same type have failed. Your global Windows credential is tried for any Windows computer for instance, if all other credentials mapped to the computer have failed.
Lansweeper also remembers which credential it last successfully scanned an asset with. When the asset is rescanned, the last successful credential is tried first. If that fails, any mapped credentials are tried. If those fail as well, your global credentials are tried.

You can map a credential to:

  • An AWS region
    mapping to an AWS region
    - Select an AWS region from the dropdown. Additional regions can be submitted by hitting the Add Scanning Target button in the Scanning\Scanning Targets section of the web console and selecting AWS Region from the Scanning Type dropdown.
  • An Azure subscription ID
    mapping to an Azure subscription ID
    - Select an Azure subscription ID from the dropdown. Additional subscription IDs can be submitted by hitting the Add Scanning Target button in the Scanning\Scanning Targets section of the web console and selecting Azure from the Scanning Type dropdown.
  • An IP address
    mapping to an IP address
  • An IP range
    mapping to an IP range
    - Select a range from the dropdown. Additional ranges can be submitted by hitting the Add Scanning Target button in the Scanning\Scanning Targets section of the web console and selecting IP Range from the Scanning Type dropdown.
  • An individual Windows computer
    mapping to a Windows computer
    - Domain\Computername: NetBIOS domain name\NetBIOS computer name or workgroup name\NetBIOS computer name
  • A domain or workgroup
    mapping to a domain or workgroup
    - Domain or Workgroup: NetBIOS name of the domain or name of the workgroup

Related Articles