Understanding ServiceNow’s New Basic Authentication Restrictions – Complete Admin Guide
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
13 hours ago
Introduction
ServiceNow has introduced an important security enhancement to help customers strengthen their cybersecurity posture by restricting insecure Basic Authentication API access for certain users.
This change mainly impacts environments where interactive-login users are still being used for integrations, REST APIs, automation scripts, or external tools using username/password authentication.
As many organizations still rely on Basic Authentication for integrations, it is important for ServiceNow administrators and architects to understand:
- What is changing
- Which accounts are impacted
- What actions should be taken
- Best practices moving forward
This article summarizes the change in simple terms and provides practical recommendations for ServiceNow administrators.
Why Is ServiceNow Making This Change?
Basic Authentication sends usernames and passwords with every API request. If credentials are exposed or compromised, attackers can bypass MFA protections and execute automated login attempts against APIs.
To improve platform security, ServiceNow is introducing authentication restrictions for interactive-login accounts using Basic Authentication APIs.
The goal is to ensure:
- Integration accounts are properly classified as service accounts
- MFA protections are not bypassed
- Organizations move toward more secure authentication methods such as OAuth and token-based authentication
What Is Changing?
ServiceNow will now evaluate inbound Basic Authentication API requests and allow access only through approved access paths.
Allowed Access Paths
A request is allowed if the user qualifies under one of these categories:
| Access Type | Description |
|---|---|
| WSAO Accounts | Web Service Access Only service accounts |
| Allowed Role | User has snc_basic_auth_api_access role |
| MID Server Accounts | MID Server role inherits required access |
| MFA / TOTP Users | Users authenticating with MFA/TOTP |
If a user does not qualify, the API request will eventually be blocked after enforcement begins.
What Is a Hybrid User?
A Hybrid User is:
- A normal interactive-login user
AND - Also used for API Basic Authentication
Example:
- Admin user used in Postman
- Integration user used for REST APIs
- API account that can still login to ServiceNow UI
These users are the primary target of this security enhancement.
Two-Phase Rollout
ServiceNow is implementing this in two phases:
1. Tracking Mode
During this phase:
- No requests are blocked
- ServiceNow records users using Basic Authentication
- Admins can review impacted users
2. Enforcement Mode
After the enforcement date:
- Unauthorized Basic Auth API requests are blocked
- Users not qualifying under allowed access paths receive HTTP 401 errors
How To Identify Impacted Users
Navigate to:
Basic Auth Restriction > Basic Auth User Exceptions
This table contains users identified during tracking.
These are the accounts administrators must review.
1. Integration / Service Accounts (Recommended: Convert to WSAO)
Examples:
- REST integrations
- Service Graph Connectors
- Discovery integrations
- External automation accounts
Recommended Action
Convert these users to: Web Service Access Only (WSAO)
Benefits
- API access continues working
- UI login is blocked
- Aligns with ServiceNow best practices
- Improves security posture
How To Convert
Open the exception record and select: Decision = Convert to WSAO
Then click: Execute Decision
Alternatively:User Record > Web Service Access Only = true
2. Human Users Using APIs
Examples:
- Developers testing APIs
- Admins using Postman
- Temporary integrations
Recommended Approach
Long-term recommendation:
- Move to OAuth authentication
Temporary option:
Maintain current login
This grants: snc_basic_auth_api_access
However, this should not be considered a permanent solution.
3. Old or Unused Accounts
If accounts are no longer needed:
Revoke Basic Auth API login
This helps reduce security risk.
Impact on Common ServiceNow Integrations
Organizations using the following should immediately review integration accounts:
- Discovery
- Service Graph Connectors
- Intune SGC
- JAMF integrations
- SCCM integrations
- IntegrationHub REST integrations
- External monitoring tools
- Custom REST API integrations
Most integration users should ideally be converted to WSAO accounts.
Important System Properties
Navigate to: Basic Auth Restriction > Properties
Review these important properties:
| Property | Purpose |
| glide.authenticate.basic_auth.restriction.active | Master feature toggle |
| glide.authenticate.basic_auth.restriction.enforce | Tracking vs enforcement |
| glide.authenticate.basic_auth.restriction.enforcement_date | Enforcement start date |
| glide.authenticate.basic_auth.restriction.default_decision | Default decision behavior |
Best Practices Moving Forward
Recommended Authentication Strategy
| Use Case | Recommended Authentication |
| Integrations | OAuth |
| Service Accounts | WSAO |
| Human API Access | OAuth + MFA |
| MID Servers | Existing MID authentication |
Key Recommendations
Immediate Actions
- Review Basic Auth User Exceptions table
- Identify all integration accounts
- Convert service accounts to WSAO
- Remove unused accounts
- Validate integrations before enforcement date
Long-Term Actions
- Migrate integrations to OAuth
- Avoid using personal admin accounts for integrations
- Enforce MFA for interactive users
- Separate human and machine identities
References
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3025707
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3055080
Disclaimer
The information shared in this article is based on practical understanding, implementation experience, ServiceNow documentation, and knowledge gathered from various sources. Some portions of the content were also refined with the assistance of AI tools to improve readability, structure, and explanation quality.
Readers are strongly advised to carefully review, validate, and test all recommendations, configurations, scripts, and security-related changes in a non-production environment before implementing them in production systems.
Always refer to official ServiceNow documentation, KB articles, organizational security policies, and platform best practices while making implementation or architectural decisions.
Share your feedback!
✔️ If this solves your issue, please mark it as Correct.
✔️ If you found it helpful, please mark it as Helpful.
—
Shubham Jain
