service account performing a large number of failed login attempts-CMDB Discovery

Amit39
Kilo Expert

Need help.

Problem Statement:

User servicenow has exceeded the maximum Number of Failed Logon Attempts and has been locked out.service account, "performing a large number of failed login attempts on the MFT servers. Want to understand how to fix this issue by resetting the password so that it will not show any error and my discovery will work without any error.

Thank you in advance.

Regards,

Amit

12 REPLIES 12

First make a note of the sys-id's for your credentials.



Then, open the list of Credential Affinities ( in the left nav pane, enter dscy_credentials_affinity.list )


You should see something similar to this:



creds.png


Filter this for the IP addresses of the system or systems which have the sys_id of the wrong credential and change them to the sys_id of the correct credential.


It is tedious work.   But try it on a couple of systems and see if you make progress.


owww its really a tedious work... but will surely try it for couple of system.



However, still confuse why its happening though we have clean architecture setup? does its getting mismatched due to same service account user ID name though belongs to diffrent domain?



Regards,


Pravin


I'll give you my understanding of what happens, but if it's critical, you should contact ServiceNow and get an authoritative answer.



My understanding is that the first time S/N attempts to discover a server, it tries the credentials one at a time.   If the first one fails, it tries the second.   If that fails, it tries the third.   And so on.



The problem comes into play when a credential locks out after a number of failed logons is attempted.   If your credentials are validated through LDAP, then a failure on multiple systems can lead to the lock-up of that account.



When a credential succeeds, an entry is made in the credentials affinity table and that credential is used thereafter.



MY ADVICE FOR YOU:   change the userid portion of each credential to make it unique.   If you're using "servicenow", in 3 domains ( dev, test & prod ), rename it to servicenowdev, servicenowtest and servicenowprod.   Even though you are keeping the domains.   That way one domain can't lock out a userid for another.



EXPERIMENT: Here's a thought for you. Can you put all discovery on hold long enough to "boot strap" the credentials?


1. Turn off all discovery.


2.Setup a discovery to scan just one domain, say dev.


3. Disable all credentials except for the credentials for the dev domain.


4. Run the discovery job.   Everything should run and the credential affinity table should be populated with the credentials for that dev domain.


5. Now repeat steps 2,3&4 for each of the domains.



Once the experiment is over, turn your regular discovery jobs back on and see if things work better.


Hi Steve,



Thank you for the suggestions. Will surely work on it & check if the workaround can fix this issue. Will update you soon.


Regards,


Pravin


Also, I found a page on the wiki that has some debugging tips;


ServiceNow KB: Determining whether the Variable Editor is added to a form (KB0538897)  


I sure hope something starts working for you!