MFA broken after clone down

Tim Grindlay · ‎09-05-2022

Our Development and UAT environments require local login with MFA. We have a clone preserver setup for the user_multifactor_auth table and during our last upgrade to San Diego we cloned our DEV and UAT environments.

Post clone, we could log into the instances with our pre-clone DEV and UAT MFA codes from our authenticator apps fine. For an unrelated reason we needed to clone our UAT environment again (several update sets committed in error) and after this second clone (a few days after the initial clone) no-one was able to login using their MFA codes and we were effectively locked out of the instance.

Luckily we had a clean up script that re-enables our email, and sends them to a shared email account so we were able to get a temporary MFA code (For accounts that had an email, because you don't get that option if your account doesn't have one!)

While troubleshooting we discovered that clicking the 'Receive a code via email' link, brings the old codes back to life. You don't have to use the code that was sent to the email. I also have a suspicion that an account that is locked out and then unlocked also brings them back, but I haven't thoroughly tested this as once the codes are working I have to find another user that had pre-clone MFA codes setup to test with.

I raised a case with the now Support but got nowhere. They suggested re-cloning, resetting the 'Enable multi-factor authentication' flag on the user profile or using the 'Receive a code via email' link, but these are all workarounds. Posting to see if anyone else has come across this.

Charlotte Pakes · ‎12-12-2022

Hi Tim,

An update for you. We deleted the additional out of the box Exclude Tables and Preserve Data records for user_multifactor_auth that had been added recently. We cloned today and MFA is working straight after the clone. I am going to update our Case with ServiceNow, but might be worth giving it a try? Will let you know if we get any official confirmation.

Thanks,

Charlotte

View solution in original post

Charlotte Pakes · ‎12-12-2022

Hi Tim,

An update for you. We deleted the additional out of the box Exclude Tables and Preserve Data records for user_multifactor_auth that had been added recently. We cloned today and MFA is working straight after the clone. I am going to update our Case with ServiceNow, but might be worth giving it a try? Will let you know if we get any official confirmation.

Thanks,

Charlotte

Tim Grindlay · ‎12-12-2022

Thank you for following up Charlotte! I've also deleted ours but it's going to be a while until our next clone. If it all goes accordingly, I'll accept your answer as the solution. 🙂

Rachel Gomez · ‎12-12-2022

Two ways to resolve the issue.

Method #1: Before performing the clone, manually add the table 'user_multifactor_auth' to the Clone exclude table in the source instance

Steps to add 'user_multifactor_auth' in Clone Preservers/ exclude table in the source instance

Login in Source Instance
Go to "clone_data_exclude" table
Add "user_multifactor_auth" to clone_data_exclude table

Method #2: You can also export the records from the table as XML before cloning and then import the XML into the target instance after the clone, Remember this import XML activity is only possible if the local admin user can login to the target instance after the clone

Regards,

Rachel Gomez

Tim Grindlay · ‎12-13-2022

Hi Rachel,

Thanks for the reply. As mentioned, we have a clone preserver (and table excludes records) setup for the 'user_multifactor_auth' table. The problem is, sometimes after cloning the system won't accept the correct codes presented by the user. The necessary data is there, but something else is causing the issue and ServiceNow support haven't been able to determine root cause. Charlotte mentioned they have 2 entries for that table in the preserver and excludes settings. We also had 2 entries, but I'm unsure why that would cause an issue. We'll have to wait until the next clone to see.

Luke43 · ‎01-26-2023

Has anyone gotten an answer from ServiceNow on this? We've experience the same issue. After cloning prod to a sub-prod instance, no one can get in with MFA enabled accounts. We have data preservers on user_multifactor_auth and excludes, but after typing in the authenticator code, it just kicks you back to the login screen.