Basic authentication failed for user

nawalkishos · 15 hours ago

Hello experts,

We are receiving lots of info message in system log "basic authentication is failed for user-svc_apps" and when we try to look the user- svc_apps that is locked out automatically and if we make user locked out false then in some it auto make it true , which integration is causing this issue and how to stops this message and how to fix this?

please let me know if any additional information is required.

Thank you!

Tanushree Maiti · 14 hours ago

Hi @nawalkishos

Probable cause:

1. An external system (e.g Monitoring tools) is using Basic Auth with a stored, outdated password.

2. check if a daily LDAP import might be deactivating the user

3.The svc_apps user might be used for a MID Server service that has a password mismatch

4. check if any scheduled job- hard coded password is there.

How to identify

1. Navigate to sys_transaction_log.list Filter by the user ID to see recent transactions.

2. Navigate to System Policy > Events > Event Log. Filter for user name = svc_apps . Look at the Description field to see the IP address or which system trying to log in and login failed

Probable fix:

1. Reset the password for svc_apps in the ServiceNow sys_user table.

2. Immediately share it with all external applications who were using this account, update MID Servers, and scripts that use this account with the new password ( if you misses any external system, they will raise INC if integration fails ->then share the password with them)

3. If a MID Server is used, check the config.xml file on the server and restart the MID service.

Note: Ensure In the svc_apps user record, check the Web service access only box. This prevents the account from being used for UI logins and reduces lockouts.

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

Vishal Jaswal · 14 hours ago

Hello @nawalkishos

Question: which integration is causing this issue:

My Response: As the context map highlights various ServiceNow tables, my guess is some reporting application in your organization is trying to make a REST API call to your instance for these tables.

You can try reproducing this log error (issue) by using POSTMAN for your PDI instance with incorrect basic auth credentials.

Question: how to stops this message and how to fix this?
Answer: The correct updated password in your servicenow instance as well as to the third party app team:

Navigate to All > Connections & Credentials > Credentials and search for name contains svc_apps. Update the password.

Navigate to All > Connections & Credentials > Connections and search Credential contains svc_apps. This may lead you to find out which integration.

This article will help you learn how "svc_apps" is locked out automatically: https://www.servicenow.com/docs/r/platform-security/instance-security-hardening-settings/sc-managing...

Hope that helps!