How can I identify which credential was used during a Credential Test?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi all,
I have a question regarding the Credential Test functionality in ServiceNow Discovery.
In my environment, I have multiple credentials configured, and I run Credential Tests to verify connectivity. However, I would like to identify which specific credential (record/sys_id) was actually used during the test execution.
At the moment, I can see the test results, but it is not clear which credential was applied. I also checked sources such as ECC Queue and Discovery-related logs, but I could not reliably trace it back to a specific credential.
Question
Is there a way to determine which credential was used during a Credential Test?
For example:
Can this be identified from ECC Queue payloads or logs (MID Server logs, Discovery logs, etc.)?
Is there any out-of-the-box functionality or configuration to track this?
Are there recommended approaches or best practices (including custom solutions such as scripts or Business Rules)?
Additional context
I have already considered the following approaches:
Analyzing ECC Queue payloads
Checking the relationship with Credential Affinity
Reviewing MID Server logs
However, I have not found a practical and reliable way yet.
Any guidance or proven approaches would be greatly appreciated.
Environment
ServiceNow: (e.g., Zurich)
Discovery in use
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @hideken
Ideally, the credential used can be identified from the Credential Affinity [dscy_credentials_affinity]
table. However, if you have already validated that and are still unable to trace the credential, then please share:
A screenshot of how you performed the Discovery/Credential Test
A screenshot of the list of configured credentials (just to understand the credential types, such as Windows, UNIX, SNMP, etc.)
The names/classes of the CIs that are getting discovered
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Laveena,
Thank you for your response.
I understand that credential affinity helps identify credentials during Discovery execution. However, my question is specifically about the Credential Test phase prior to running Discovery.
My understanding is that credential affinity is only established after a successful Discovery run and is not applicable to Credential Tests.
Could you please help clarify the following?
During a Credential Test (not a full Discovery run), is there any way to identify which specific credential record (sys_id) was actually utilized?
For example, can this be traced within ECC Queue payloads, MID Server logs, or any other internal logs?
If there is no out-of-the-box way to do this, I would appreciate any recommended approaches or best practices.
Thanks in advance,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi @hideken
could you please share the screenshot of how you performed the Discovery Credential Test. Did you just pass the Ip address to test it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi Laveena,
Thank you for your follow-up.
Please find attached screenshots of how I am performing the Credential Test.
As shown, I am executing the test directly from a discovery_credentials record by specifying the target IP address.
---
### What I am trying to achieve
My goal is to identify the original discovery_credentials record (sys_id) that was actually used during the Credential Test.
The reason behind this requirement is related to Credential Affinity management before Discovery execution:
- In our current operation, we manually register Credential Affinity before running Discovery
- This is because, during Discovery, all available credentials are attempted sequentially
- This behavior results in:
- Unnecessary login attempts
- Potential security alerts on target servers
To avoid this, we want to:
- Pre-determine the correct credential
- Then register Credential Affinity in advance
---
### Current challenge
At the moment:
- We perform Credential Tests manually
- But we cannot reliably identify which discovery_credentials record (sys_id) was actually used behind the test result
---
### What I want to achieve (final goal)
Instead of manual work, I would like to:
- Trace the credential used during Credential Test (from logs or internal processing)
- And automate the Credential Affinity registration, for example:
- via Business Rules
- or other customization approaches
---
### My question (restated)
Is there any way to reliably identify which discovery_credentials record (sys_id) was used during a Credential Test?
For example:
- Can this be traced via ECC Queue payloads?
- MID Server logs?
- Any internal tables or logs?
Or, if there is no out-of-the-box way:
- Are there any recommended design patterns or custom approaches to achieve this?
---
Any insights or proven approaches would be greatly appreciated.
Thanks again for your support!
