MID Server: high number of credentials
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2025 01:33 AM
Dear community,
I have a customer with a high number of credentials (more than 700), handled with CyberArk.
Do you consider this could be an issue when running discovery, in terms of timeouts by searching the correct credential for a CI, moreover the first time is discovered?
Thank you so much in advance
Best regards,
Javier
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2025 02:53 AM
Hi @Javier10
Yes, a high number of credentials managed via CyberArk can lead to increased discovery times and potential timeouts, especially during the first discovery of a CI. The key risk is not the number of credentials in ServiceNow itself (since you only need one external credential pointing to CyberArk), but rather the performance of credential resolution from the external vault and the need to try multiple credentials until a match is found. Optimizing CyberArk performance, leveraging IP affinity, and thoughtful credential management are recommended to mitigate these issues.
Please also read the following article External Credential Store - SNMPv1/v2 performance Impact
Maik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2025 03:12 AM
Dear @Maik Skoddow ,
Thank you very much for your answer. I found the article really helpful!
In addition to that, I would like to mention that my customer do not use SNMP credentials but SSH and Windows.
Do you think the root cause could be the same, anyway?
Regards
Javier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2025 03:55 AM
Hi @Javier10
Yes, and please also take a look at the following mitigation tips:
-
Optimize CyberArk Performance: Ensure that the CyberArk server and network are optimized to handle a high volume of credential requests quickly
-
Use IP Affinity: Once a device is discovered, ServiceNow creates an affinity record linking the IP to the successful credential. This speeds up future discoveries for that device by skipping failed credential attempts
-
Limit Credential Scope: Where possible, limit the scope of credentials used in discovery schedules to only those relevant for the target devices, reducing unnecessary lookups
-
Monitor and Adjust Timeout Settings: For specific probes (like VMware), increase timeout values if credential lookup is consistently slow
-
Consider Credential Tagging or Affinity Pre-Population: Use credential tags or pre-populate the affinity table to reduce the number of credentials ServiceNow must try for known devices
Maik