Multifactor authentication and system clone

stevemac
Tera Guru

‎11-21-2018 07:29 PM

Hi,

We recently enabled multifactor authentication (MFA) in all of our instances.  All users with the "admin" role are configured to use it.  No problems experienced

Yesterday we performed our first clone from Prod to sub-prod overnight since MFA was implemented.   MFA is now not working in subprod.  Generating a new code for a user addresses the issue.

Comparing prod and sub-prod, the issue appears to be the User Multi-factor Authentications [user_multifactor_auth] table.  Sub-prod now has production's values & I assume the Multi Factor secret value is incorrect

Wondering if anyone else has run into this?  I plan to create clone exclude table and clone preserve data entries for the table [user_multifactor_auth].  Is there anything else that needs to be done?

thanks,

Steve

 

 

0 Helpfuls
  • 4,764 Views
7 REPLIES 7

sebastian_g_snc
ServiceNow Employee
ServiceNow Employee

‎11-26-2018 08:59 AM

I assume that will do it.
You could also try a cleanup script after the clone finished.

0 Helpfuls

stevemac
Tera Guru

‎11-26-2018 08:48 PM

thanks for the update.  Have found a a few more things worth sharing

  • we created Clone Exclude table and Clone Preserve data records for the user_multifactor_auth table
  • The user submitting the Clone request could not authenticate with the target instance with MFA enabled on his account (in the clone target instance).  The GUI would not prompt for the MFA code.  As such he disabled MFA on his account in the clone target and was able to authenticate with the target and submit the clone request.
  • The clone was performed.  The user was unable to login to the clone target with local authentication (external auth was OK).  The MFA code entry was not accepted.  Investigation revealed
    • user account is enabled for MFA (as the user table came from the clone source)
    • no entry in the user_multifactor_auth table for the same user (as it was removed when MFA was disabled for that user to facilitate clone target authentication)
  • New MFA code generated for this user on the clone target.  MFA working as expected
  • As per the MFA doco, the MFA code can be appended to the end of the user's password.  We have submitted a new clone request.  Authentication with the clone target was successful when the MFA code was appended to the user's password

 

Clone to sub-prod will occur tonight.  Will post back on outcome

 

 

Karthick Nagara
Tera Expert
In response to stevemac

‎08-16-2019 09:56 AM

Hi Steve,

 

So excluding the user_multifactor_auth  table resolved the issue of MFA codes overwritten in target instance?

 

 

0 Helpfuls

spriisholm
Giga Contributor

‎01-09-2020 11:52 PM

Hi 

We have also experienced the same problem "many" times.

When cloning from PROD to TEST/DEV, the user on TEST/DEV will get the PROD MFA.

Next time I will try the exclude / preserve on [user_multifactor_auth] table OR save the table from TEST/DEV before cloning as XML.. Then - after cloning - remove content, and import the XML.

I will return with the result 🙂

 

BRs

Soren

0 Helpfuls