Using ServiceNow to discover MFA-enabled servers

Go to solution
ClaytonC2
Tera Contributor

‎06-26-2023 10:11 AM

Does anyone have experience/suggestions on using ServiceNow discovery to authenticate with servers that have Multi-Factor Authentication enabled?

Even with valid credentials, the result of discovery is: Adding target to blacklist. No valid credential found for type [Windows].

MFA is being rolled out for the organization's PCI environment due to updated PCI DSS requirements for version 4.0, which is effective 31 March 2025, specifically requirement 8.4.2, which states:

"The MFA requirements apply for all types of system
components, including cloud, hosted systems, and
on-premises applications, network security devices,
workstations, servers, and endpoints, and includes
access directly to an entity’s networks or systems as
well as web-based access to an application or
function.
MFA for remote access into the CDE can be
implemented at the network or system/application
level; it does not have to be applied at both levels.
For example, if MFA is used when a user connects
to the CDE network, it does not have to be used
when the user logs into each system or application
within the CDE.
This requirement is a best practice until 31 March
2025, after which it will be required and must be
fully considered during a PCI DSS assessment."

 

Any advice would be appreciated.

0 Helpfuls
  • 844 Views
1 ACCEPTED SOLUTION

Go to solution
Sree32
ServiceNow Employee
ServiceNow Employee

‎06-27-2023 12:06 PM

ACC is the best solution for customers with Zero trust and MFA requirements.  Secondly, MFA regulatory requirements are enforced for user-based identity. ServiceNow discovery account will fall under system-based identity, where you mark the service account used for agentless discovery as a system account. 

 

Also, check out the gMSA , WinRm options. 

 

View solution in original post

2 REPLIES 2

Go to solution
Rahul Priyadars
Giga Sage
Giga Sage

‎06-26-2023 08:00 PM

Service Now Discovery Do Not Support MFA as this point of time as per GA docs.

So error you are getting is expected as discovery is unable to login to host because of Second Level Authentication needs.

 

Regards

RP

0 Helpfuls

Go to solution
Sree32
ServiceNow Employee
ServiceNow Employee

‎06-27-2023 12:06 PM

ACC is the best solution for customers with Zero trust and MFA requirements.  Secondly, MFA regulatory requirements are enforced for user-based identity. ServiceNow discovery account will fall under system-based identity, where you mark the service account used for agentless discovery as a system account. 

 

Also, check out the gMSA , WinRm options.