Review : Basic Authentication Account Security

Gaurav Shirsat
Mega Sage

2 hours ago

Review : Basic Authentication Account Security

GauravShirsat_0-1780816421540.png

 

The banner in your ServiceNow instance is a security advisory related to Basic Authentication accounts.

Warning Summary:

"Action Required: Review Basic Authentication Account Security"

ServiceNow has introduced security changes that will affect accounts using Basic Authentication (username/password authentication) for integrations, APIs, MID Servers, inbound email, or other automated connections.

 

What you should do

  1. Click "Know More" on the banner.

GauravShirsat_1-1780816421559.png

 

  1. Review all accounts currently using Basic Authentication.
  2. Identify whether those accounts are:
  • Integration users
  • Service accounts
  • API users
  • MID Server users
  1. Follow ServiceNow's recommendation, which may include:
    • Migrating to OAuth 2.0
    • Using Mutual TLS (mTLS)
    • Strengthening security settings for Basic Auth accounts
    • Exempting only those accounts that genuinely require Basic Auth

Know More Link Give below Details : Screenshot taken as it is from PDI

GauravShirsat_2-1780816421574.png

 

Screenshot Information Copied here & Explained:

To improve the security of this instance, a security update will change basic authentication configurations for certain accounts. This change will take effect as explained in KB3025707.

 

[ https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3025707 ].

 

We recommend that you promptly take the actions listed below.

KB3025707 : One Must have an access to Now Support Portal.

 

GauravShirsat_3-1780816421576.png

 

Take action:

  • Review the Identified Users table. If you want to continue to allow an account to use Basic Authentication, then set its decision to one of the following:
  • Maintain current login - Basic Auth API and UI login allowed

The snc_basic_auth_api_access role is granted to the account, so its Basic Authentication access continues when enforcement begins.

GauravShirsat_4-1780816421578.png

 

  • Revoke Basic Auth API login - Basic Auth API login blocked and UI login allowed

This user will not be granted the exception role. Their basic auth access will fail when enforcement begins.

  • Convert to web service access only account - Basic Auth API login allowed and UI login blocked
  • This will convert the user to a web service access only user. They will be unable to make UI logins, but basic authentication will continue to work for this account. No roles will be assigned.

Apply default from system property:

  • This user's basic auth access will be granted or denied based on the decision configured in the global property “glide.authenticate.basic_auth.restriction.default_decision”. You can review or change this on the property page.

GauravShirsat_5-1780816421585.png

 

  • Review and adjust the start of the enforcement period from the  enforcement schedule job.

Note: security_admin role is required to make any changes.

 

How enforcement works:

  • Once enforcement is enabled, Basic Authentication requests are blocked unless the requesting account matches one of the following:
  • Accounts having Web Services Access Only (WSAO).
  • Accounts presenting a valid MFA one-time password.
  • Accounts having the snc_basic_auth_api_access role.
  • Default value applied to new rows in the Basic Auth Exception table during the tracking period. Per-row decisions in the Basic Auth Exception table override this default.

Maintain current login - Basic Auth API and UI login allowed:

This is a feature toggle for the Basic Authentication restriction feature on this instance. When unchecked (false), no enforcement occurs, regardless of the value of glide.authenticate.basic_auth.restriction.enforce. Use this as an emergency disable to halt the feature without changing other settings.

GauravShirsat_6-1780816421591.png

 

Controls whether enforcement is active. When unchecked (false), accounts using Basic Authentication are recorded but no requests are blocked (tracking mode). When checked (true), Basic Authentication requests are blocked unless the requesting account is on the allow-list (enforcing mode).

Has no effect when glide.authenticate.basic_auth.restriction.active is set to false.

[ https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3025707 ]

How to find affected accounts

Navigate to:
System Security → Users (or the page linked from the banner)

Review users that:

  • Are used by integrations
  • Have Web Service Access enabled
  • Authenticate via username/password instead of OAuth

 

What ServiceNow is enforcing

  1. When enforcement is turned on, a Basic Auth API request will be allowed only if the account meets one of the approved conditions:
  1. The account is marked Web Service Access Only

It might be invisible on your PDI.because of OOB Client Script in User [sys_user] Table. Disable it

GauravShirsat_7-1780816421595.png

 

GauravShirsat_8-1780816421600.png

 

Important Points about this User Identity.

GauravShirsat_9-1780816421605.png

 

Once we change it to Machine :

This is because OOB 2 Client Script Written on User [sys_user] Table.

GauravShirsat_14-1780816886923.png

 

  1. The account has the snc_basic_auth_api_access role
  2. The account provides a valid MFA one-time password (where applicable)
  1. If none of those conditions are met, Basic Auth requests can fail with authentication errors (typically HTTP 401 responses).

 

New Decisions You Must Make for Each Identified User:

On the Basic Auth Restriction page, ServiceNow asks administrators to choose one of these actions for each affected account:

Option

Result

Maintain Current Login

User can continue UI login and Basic Auth API access

Revoke Basic Auth API Login

User can log in to UI but cannot use Basic Auth APIs

Convert to Web Service Access Only

User can use APIs but cannot log in interactively

Apply Default Decision

Uses the system-wide default property

 

Properties Introduced for Enforcement

1) Feature Toggle: 

glide.authenticate.basic_auth.restriction.active. 

Enables or disables the Basic Auth restriction feature entirely.

 

2)Enforcement Toggle

glide.authenticate.basic_auth.restriction.enforce

Controls whether ServiceNow is merely tracking usage or actively blocking non-approved accounts.

 

3)Default Decision

glide.authenticate.basic_auth.restriction.default_decision

Defines what happens to newly detected Basic Auth users before you review them individually.

 

The risk of things breaking:

If you enable enforcement without reviewing accounts, these commonly break:

  • REST integrations
  • SOAP integrations
  • Integration Hub connections
  • Vendor connectors
  • ETL jobs
  • External schedulers
  • Monitoring tools
  • Custom applications calling ServiceNow APIs

Anything still using a username/password against ServiceNow APIs is a candidate for impact.

 

Recommended ServiceNow Admin Approach:

ServiceNow Basic Authentication Remediation Plan (Production Environment)

This is the approach I would follow as a ServiceNow Administrator to ensure zero integration outages while complying with ServiceNow's new Basic Auth restrictions.

 

For a production instance:

  1. Navigate to:

All > Basic Auth Restriction

  1. Review every account in Identified Users.
  2. Classify accounts:
  • Human users = Revoke Basic Auth API Login
  • Integration users = Web Service Access Only
  • Critical legacy integrations =  Maintain Current Login temporarily
  1. Plan migration to:
  • OAuth 2.0
  • API Authentication Policies
  • REST API Access Policies
  • Certificate-based authentication
  1. Enable enforcement only after testing in DEV/TEST.

How Would I Explain This in an Interview or General Understanding?

"What would you do if you saw the Basic Authentication Security banner in ServiceNow?"

A practical answer would be:

"I would first identify all affected accounts and determine which integrations depend on them. Before enabling any enforcement, I would perform an impact assessment, contact integration owners, validate in lower environments, and then implement a phased remediation plan. Human users would generally have Basic Auth access removed, while integration accounts would either be converted to Web Service Access Only or migrated to OAuth 2.0. The objective is to improve security without causing outages to business-critical integrations."

This sounds much closer to how an experienced ServiceNow Administrator or Architect would discuss the topic in a real project.

 

Key Takeaway as a ServiceNow Developer/Architect/Enthusiasts:

  1. Basic Authentication sends credentials with every request. While HTTPS encrypts the traffic, OAuth is considered more secure because it uses tokens instead of repeatedly sending usernames and passwords.

For admin :

  1. The banner is not saying that Basic Authentication is being removed entirely. The change is that ServiceNow is introducing enforcement controls around who can continue using Basic Auth and requiring administrators to explicitly review and approve affected accounts before enforcement is enabled.
  2. "ServiceNow is not removing Basic Authentication, but it is enforcing stricter controls. Administrators must review all accounts using Basic Auth and explicitly allow them through roles, Web Service Access Only configuration, or approved exceptions. Unreviewed accounts may lose Basic Auth API access once enforcement is enabled. The long-term recommendation is to migrate integrations to OAuth 2.0 or other modern authentication mechanisms."

Thanks and Regards

Gaurav Shirsat

  • 66 Views
Version history
Last update:
2 hours ago
Updated by:
Contributors