Zurich 2FA Login screen disappears/redirects

Go to solution
James Bustard
Tera Expert

3 weeks ago - last edited 3 weeks ago

I upgraded my PDI to Zurich the other day. After the upgrade, I now see a message on the login page saying ServiceNow plans to enforce MFA for PDI logins

JamesBustard_0-1768862082978.png

I set up an authenticator app for my user account and can log in successfully using it once. However, on the next login I run into an issue: after entering my username and password, the page redirects to the MFA “Enter code” screen, but then immediately redirects back to the login page.

The second redirect happens almost instantly - so I don’t get a chance to enter the MFA code.


I can still log in using the admin account since MFA isn’t set up for it yet. For my user account, I’ve deleted the MFA enrollment and set it up again, but the issue persists.

Other things I’ve tried:

  • Disabled all browser extensions/plugins

  • Cleared saved site data for the PDI and turned off autofill

  • Tested in incognito/private mode

  • Tried a different browser

  • Tried from a non-work computer

  • Refreshed the instance

  • Checked the upgrade skip logs for Zurich

No matter what I try, the “Enter code” screen flashes for a split second and then I’m redirected back to the ESC login page. I’ve also enabled “Preserve log” in the browser dev tools and I’m not seeing any errors.

 

JamesBustard_1-1768863448642.png

Has anyone else experienced this? Any suggestions on what to try next?

For now I can use the instance via the admin account, but once MFA is enforced for all accounts, I won’t be able to access the instance at all.

0 Helpfuls
  • 469 Views
1 ACCEPTED SOLUTION

Go to solution
James Bustard
Tera Expert

3 weeks ago

Thanks GlideFather, 

 

Disabling MFA isn't the hard part. My concern was SericeNow enforcing it regardless come the deadline shown on my instance.

Disabling the MFA contexts didn't help. To turn it off I disabled the system property requiring it: glide.authenticate.multifactor

 

For anyone else who runs in to the same issue, be aware there is a business rule which prevents you from turning it off prior to giving a reason in the 'glide.authenticate.multifactor.disable.reason' sys property. 

Running the following in a background script takes care of the business rule and will stop the instance enforcing MFA:

// Set a reason first (this satisfies the business rule 'Discourage turning off MFA')
gs.setProperty('glide.authenticate.multifactor.disable.reason', 'PDI - not required');

// Disable MFA
gs.setProperty('glide.authenticate.multifactor', 'false');

 

View solution in original post

2 REPLIES 2

Go to solution
GlideFather
Tera Patron

3 weeks ago

Hi @James Bustard,

 

regarding the MFA, it was made mandatory on default but that was reverted like a week ago or so... 

Perhaps this is some glitch caused by that?

 

Try to check the MFA Context:

https://yourinstance.service-now.com/nav_to.do?uri=sys_mfa_policy_context.do?sys_id=c4895d9373512010616ca9843cf6a79f

 

GlideFather_1-1768907822681.png

 

 

And its policies nad inputs in the related tabs below...

 

Eventually review these properties:

https://yourinstance.service-now.com/sys_properties_list.do?sysparm_query=sys_idIN021ae381770102104bb41646ba5a99d2%2C07bf53de43f302100d603c441bb8f212%2C283b43ff77b01210e5415bef5b5a999a%2Cd95c73b2433012100d603c441bb8f2a3%2C0ea093d073312010fdbd04fbc4f6a797&sysparm_view=

GlideFather_0-1768907764965.png

If you want to deactivate it for others, then you can set the property above to false, or make it role-based...

 

_____
No AI was used in the writing of this post. Pure #GlideFather only
0 Helpfuls

Go to solution
James Bustard
Tera Expert

3 weeks ago

Thanks GlideFather, 

 

Disabling MFA isn't the hard part. My concern was SericeNow enforcing it regardless come the deadline shown on my instance.

Disabling the MFA contexts didn't help. To turn it off I disabled the system property requiring it: glide.authenticate.multifactor

 

For anyone else who runs in to the same issue, be aware there is a business rule which prevents you from turning it off prior to giving a reason in the 'glide.authenticate.multifactor.disable.reason' sys property. 

Running the following in a background script takes care of the business rule and will stop the instance enforcing MFA:

// Set a reason first (this satisfies the business rule 'Discourage turning off MFA')
gs.setProperty('glide.authenticate.multifactor.disable.reason', 'PDI - not required');

// Disable MFA
gs.setProperty('glide.authenticate.multifactor', 'false');