service account performing a large number of failed login attempts-CMDB Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-01-2016 08:08 AM
Need help.
Problem Statement:
User servicenow has exceeded the maximum Number of Failed Logon Attempts and has been locked out.service account, "performing a large number of failed login attempts on the MFT servers. Want to understand how to fix this issue by resetting the password so that it will not show any error and my discovery will work without any error.
Thank you in advance.
Regards,
Amit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-18-2016 06:24 AM
We had a similar problem with our MS servers in Discovery.
I'm assuming that you actually have the correct credential to discover the server in the S/N config.
Have you confirmed that the user "servicenow" can actually login to it?
If you pass that check, then you can check the credential affinity table for the server, dscy_credentials_affinity
If there is an entry for the server there, verify that the credential ID points to the correct credential.
If there is no entry, then discovery will try each of the credentials in the list to see if one works.
If you have multiple credentials for the same "servicenow" userid, that could be the cause of your lockouts.
Create an entry in the credential file for the IP address and correct credential and try the discovery again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2016 11:27 AM
Hi Steve,
Even we are facing the same issue. We have three domain service credentials with same user name e.g. abc (dev\abc, prod\abc, xyz\abc) & my dev or prod credentials are getting frequently locked. when checked as per your suggestion its getting locked with domain controller which belongs to dev domain which should use the DEV service account credential ID but it using the PROD service account service ID. I have deleted the entry for target server with prod service ID & re-executed the discovery so that it should use the service ID of DEV but again its ending with PROD service ID. And the account get again locked. Could you please let confirm what is the solution in this case?
Regards,
Pravin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2016 11:43 AM
Hello Pravin,
I'm not sure how to confirm this as the problem is not on an instance where I have access.
I can offer some advice though. It appears that Discovery is trying all the userids while trying to login to your servers. Apparently this is enough to lockout the account. Instead of deleting the entry in dscy_credentials_affinity, why not change it to specify the correct credentials? Try that and rerun the discovery.
See if the login succeeds after that change.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2016 11:59 AM
Hi Steve,
Thank you for your reply. however, we have the correct credentials configured in SN discovery credential vault. We have scenario like multiple domain servers present in one IP range so while trying discovery on that IP range it should try all the credentials for successful discovery of those targets. When you saying specify the correct credentials how can we do so?
Regards,
Pravin