Amarjeet Pal
Kilo Sage
What is actually blocking your clone?
 
The Hidden Culprits
When the individual user MFA flag is false but the clone still fails, the issue is usually caused by one of three modern platform security constraints:
  1. Inbound Basic Auth Hardening: Recent ServiceNow security baselines block basic inbound API traffic by default. The clone engine utilizes background REST/SOAP calls via basic authentication. Without an explicit bypass role, the target instance rejects the connection with a 401 Unauthorized error.
  2. Global/Role-Based MFA Policies: Even if a specific user account has MFA turned off, global Multi-Factor Criteria rules (such as enforcing MFA on all accounts with the admin role) will still intercept the authentication attempt.
  3. Special Character Parsing Bugs: In newer UI layers like the Clone Admin Console, certain special characters (like @ or :) in a password can break the background credential parsing engine.

    How to Fix It (Step-by-Step)
    Perform these troubleshooting steps on your target instance to restore your clone functionality.
     
    Step 1: Add the Basic Auth Exception Role
    Because the clone process relies on background APIs, your target user needs explicit permission to bypass modern basic authentication restrictions.
    • Log in to the target instance as an administrator.
    • Navigate to the User [sys_user] record of the account being used for the clone.
    • Under the Roles related list, click Edit.
    • Add the snc_basic_auth_api_access role and click Save.
    • Alternative: If this is a dedicated integration account, you can instead check the Web Service Access Only box on the user record, which implicitly permits basic auth API paths.
     
    Step 2: Temporarily Disable Role-Based MFA Criteria
    If the user has the admin role, global system criteria might be forcing an MFA prompt anyway.
    • In the filter navigator, type Multi-factor Criteria.
    • Locate the record titled "Role based multi-factor authentication".
    • Change its Active status to false. (Remember to turn this back on once your clone completes!)
    • Navigate to Multi-Factor Authentication > User Multi-factor Setup and delete any cached MFA registration records for your clone user.
     
    Step 3: Sanitize the Password
    If your password contains special characters, update it.
    • Change the user's password to ensure it does not contain an @ or : symbol.
    • Stick to alphanumeric characters and safe symbols like underscores (_) or hyphens (-).
     

     
    Summary
    The next time you hit an authentication wall while configuring a system clone, do not stop at checking the basic user profile. Ensure your target user has snc_basic_auth_api_access, check for overriding Multi-factor Criteria, and verify that your password characters are not breaking the backend parser.
    Have you run into this issue during your recent upgrades? Let’s discuss in the comments below!