I want to limit the number of credential attempts during discovery

Walter Ahn
Tera Contributor

As I said in the title, I want to limit the number of credentials I try to give the device when doing discovery.

I know it sounds very strange.

We need these features for a number of unspeakable reasons.

The way we use aliases is not a substitute for the functionality we want to see.

I already know how credentials are applied and behave when doing discovery.

I've been looking for scripts to perform tests to implement that functionality, but I haven't found any that pull credentials from within ServiceNow and pass them to a mid-server. (Of course, I'm sure I'm not looking for it. Please, it has to be.)

 

So we ask a lot of experts.

In which script can I find the behavior I'm talking about (passing the credentials to the midserver)?

Is it possible for me to modify it?

If you can't fix it, at least tell me what behavior is preventing you from fixing it.

 

Please answer.

10 REPLIES 10

Pratiksha
Mega Sage
Mega Sage

Take an example for win credentials. You have two of them. Now when you have created the first schedule or behaviour and you know for sure which credentails will be used. Disable the one which you know that wont be applicable. Once you run the discovery, the ip will have it's affinity created. you can enable the second creds and try to run the behavior again. You will see it will not try the other one. 

Regards,

Pratiksha

Thank you for your answer.

 

However, if there are 1000 credentials in the schedule and it runs periodically every day at midnight, isn't it almost impossible for a user to intervene and activate or deactivate the credentials?

 

For example, if you have 1000 credentials in a schedule and you set it up with IP bands and there are 100 devices already collected and 5 devices installed by the infrastructure administrator, each of the 5 devices will have 1000 credential attempts in the worst case before it succeeds in authenticating...

 

I would like to solve this situation with a configuration within the ServiceNow instance...

 

Again, thank you very much for your response.

Pratiksha
Mega Sage
Mega Sage

This like tricking the system and not to do be everytime. Only one time to create the affinity. 

 

Anyways read about this  : https://docs.servicenow.com/bundle/washingtondc-platform-security/page/product/credentials/concept/d...

Thank you for your response.

 

I understood that you were telling me how to use alias.

 

However, my understanding is that if you don't include credentials in the alias, it won't work even if you have an affinity.

 

If that is the case, then in a schedule that is performed every day at midnight, any device that uses credentials that are not registered in ALIAS will not be discovered...

 

Thanks again for your response.

Nilanjan1
Mega Sage

@Walter Ahn Hope you are fine. Apologies if the question is not appropriate.  I was wondering why are we using more than one credentials, are the devices seperated by domains ?

 

If I understood the question correctly. I want to propose a thought. I believe you are using IP addresses to discover the linux devices. Why can"t we group based on the ranges of the IP based on subnets . this way the credentials can also reduce and may not have an impact on the performance.