External Credential Test and Discovery fails.

Canjura · ‎02-21-2023

We have setup External Credentials to use CyberArk.
There are multiple credentials in the Safe for different IP addresses (target hosts), so this particular Credential is set in our instance with the "Credential ID" blank.
As per the CyberArk integration doc:

Credential ID field:
"If you want CyberArk to look up the credential in a configured
safe by the IP address rather than the credential ID, leave this
field blank. This is the best practice for handling installations in
which each server has a unique credential. Without this type of
lookup, you must create a credential ID record in your instance
for every server in your environment."

The MID servers can communicate and retrieve passwords from the safe, the same Credential ID works for some servers but fails on some others.

This is the APPAudit.log entry when the "Test Credential" or the Discovery job FAILS on a target host (10.1.1.1):

[21/02/2023 | 22:20:44] | :: | APPAU001I Provider Prv_MID_SERVER1 has successfully fetched password [safe=SN_SAFE,folder=Root,name=SN-Discovery] with query [safe=SN_SAFE;folder=root;address=10.1.1.1] for application [App_SERVICENOW]. Fetch reason: []

And this is the APPAudit.log entry when the "Test Credential" or the Discovery job WORKS on target a different target host (10.2.2.2):

[21/02/2023 | 23:35:39] | :: | APPAU001I Provider Prv_MID_SERVER1 has successfully fetched password [safe=SN_SAFE,folder=Root,name=SN-Discovery] with query [safe=SN_SAFE;folder=root;address=10.2.2.2] for application [App_SERVICENOW]. Fetch reason: [[AppID: App_SNOW_MIDServer_P]]

I have also tried these:

1. TEST CREDENTIALS INTERACTIVELY
- Retrieved the password from the safe
- RDP into the MID server
- Run a Putty session to the target host using the credentials retrieved from the safe and it works fine.

2. TEST A NON-EXTERNAL CREDENTAIL
- Retrieved the password from the safe
- Created a new Credential Entry (not as 'External Credentials store')
- Test Credential and Discovery works with that one (which is the same user/pass as in the safe)

Lastly, I've tried to set the "Lookup key" in the external credential entry to the values below without success:
- Credential ID
- IP Address
- All of the above

What am I missing here?

This is similar (but not exactly the same) as the issue posted on:
https://www.servicenow.com/community/itom-forum/external-credential-test-fails-invalid-target-specif...

Thanks

Rahul Priyadars · ‎02-21-2023

Can you try this command from Mid Server to ur failing host...

Windows Credential

A simple Powershell WMI query directly from the MID Server to the remote machine can be used to test access and permissions.

Open a PowerShell command line on the host where the MID server is being used and run the following:

gwmi win32_operatingsystem -computer 192.168.200.14 -credential 'LOCALDOMAIN\mid'

Substitute LOCALDOMAIN\mid by the credential to test, and 192.168.200.14 with the target IP address. The expected result would be similar to:

SystemDirectory : C:\Windows\system32
Organization    :
BuildNumber     : 6001
RegisteredUser  : Windows User
SerialNumber    : 12345-OEM-1234567-12345
Version         : 6.0.6001

If the WMI command above fails, either the credential is incorrect or lacks permission. We advise your windows admin team to further investigate the issue. If basic WMI queries from the MID server to the target hosts fails, then discovery and orchestration activities would not be successful.

Regards

RP

Canjura · ‎02-22-2023

Hi Rahul,

Thanks for your reply, the failing servers are UNIX/Linux servers and I haven't found a Windows box with this symptoms. The SSH session (via Putty) works fine from the MID with those same credentials.

Thanks,

Rahul Priyadars · ‎02-22-2023

Just for testing purpose ..

Configure a SSH local cred in Service Now and do a quick discovery - Hope this is also working?

Regards

RP

Canjura · ‎02-23-2023

Hi RP,

Yes, I already tested it and that works but as you mentioned, that was just for testing purposes.

Thanks