"Invalid credentials" from remote connections (Azure AD App & remote instance record) but login.do works

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2022 05:33 PM
Hi folks,
Today I was attempting to configure user provisioning from my Azure AD environment. During the course of this process I successfully connected to my Dev and Test instances; however, when it came to UAT I was presented with the below error:
I beat my head against the wall for a while trying to reset credentials, validating correct urls, looking for further details in logs (which seem to have no indication a connection attempt was ever even made), creating new accounts, and a new Azure app, etc. All of this to no avail.
Eventually I moved on to creating the remote instance record in my prod environment so that my dev team could move forward with promotion of update sets in our net new environment. Much to my dismay I recieved the below:
I am able to use login.do to authenticate with all admin accounts I've attempted to establish a remote connection with. No issues whatsoever with login.do. Logs don't seem to be any help. Password reset from HiWave didn't have any impact either. Dev, Test, and Prod all working as expected and happily provisioning user records. Any thoughts would be greatly appreciated.
V/R,
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2022 09:12 PM
Hi
- Did you also check the Node logs on UAT?
- Do you see in your syslog table at the UAT instance any strange KMF-related errors? If so create a support ticket.
- Does your UAT instance have the same version (including patch and hotfix version) as the other instances?
- Does your user on UAT have the "admin" role? If not add it.
- Does your user on UAT have the "security_admin" role? If so remove it, because external systems cannot elevate roles.
- Is on your UAT MFA activated? If so deactivate and try again.
- Do you have IP address access restrictions in place? If so add the IP address of Azure AD to the whitelist and try again
Maik

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2022 10:08 PM
Hi Miak! Thank you for the reply.
- Did you also check the Node logs on UAT?
- I had only checked the event logs. I'm relatively new as an admin so thank you for pointing out these node logs. Unfortunately, I'm not seeing much that's helpful in the below or any of the entries around this.
-
txid=0c9ddf638771 #1290 /syslog.do Parameters ------------------------- sys_row=0 sysparm_pop_onLoad= sysparm_transaction_update_set= sys_base_uri=https://*******uat.servicenowservices.com/ sysparm_record_rows=16542 sysparm_redirect_url= sysparm_transaction_scope= sysparm_template_editable= sysparm_record_target=syslog syslog.level=0 isFormPage=true sysverb_insert_and_stay= syslog.sys_created_on=09-13-2022 10:50:30 PM sysparm_collection= sysparm_changeset= sysparm_ck=b8db5...55114 (length=72) sysparm_link_collection= sysparm_collection_related_field= sys_uniqueValue=7a7dd7a387711110f66a31970cbb3530 sys_modCount= sysparm_collection_key= sysparm_nameofstack= sysparm_collectionID= sys_original.syslog.sys_created_on=09-13-2022 10:50:30 PM sysverb_insert= sys_uniqueName=sys_id sys_target=syslog sysparm_action_template= syslog.message=Basic authentication failed for user: admin sys_original.syslog.message=Basic authentication failed for user: admin sys_titleValue= syslog.source=*** Script sysparm_goto_url= personalizer_syslog=true sys_action=101721d14a3623120144e1ddc0d8b196 sysparm_view= sysparm_collection_relationship= sysparm_record_scope= sys_original.syslog.level=0 onLoad_sys_updated_on= sysparm_referring_url= sysparm_record_list=sys_created_onONToday@javascript:gs.beginningOfToday()@javascript:gs.endOfToday()^ORDERBYDESCsys_created_on sysparm_record_row=1 sys_displayValue=Created 09-13-2022 10:50:30 PM sys_original.syslog.source=*** Script sysparm_encoded_record= sysparm_modify_check=true
- Do you see in your syslog table at the UAT instance any strange KMF-related errors? If so create a support ticket.
- As found in the above "Basic Authentication failed" is the general error I'm receiving. I am certain the password and username is accurate. I've copy pasted (as plain text) the entry from the login.do screen (where it works fine) and a plain text editor to ensure it is correct. Additionally, I've updated the password temporarily to a relatively simple combination I use very regularly in my day to day (not as a password usually) to help ensure I'm not mistyping this. Not to mention... I've set this exact connection up 3 other times (dev, test, prod) without so much as a hiccup from anything.
- Does your UAT instance have the same version (including patch and hotfix version) as the other instances?
- All instances are the same version
- Does your user on UAT have the "admin" role? If not add it.
- It does. I'm using the local OOTB admin account for this activity.
- Does your user on UAT have the "security_admin" role? If so remove it, because external systems cannot elevate roles.
- It does, but so it does in all other environments and this works fine. Out of an abundance of caution, I did remove the role temporarily, (cleared cache, logged out, back in) to no avail.
- Is on your UAT MFA activated? If so deactivate and try again.
- MFA is active on all environments. This was also one of the things I tried de-activating with no change in behavior.
- Do you have IP address access restrictions in place? If so add the IP address of Azure AD to the whitelist and try again
- IP restrictions are not presently in place.
I have submitted a HiWave ticket. Appreciate all the thoughts here! 🙂
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2024 04:16 PM
Hi @dwilborn
Did you ever get a resolution for this issue? I'm facing the same issue.