Discovery Service Account flagged by security team for failed logins on servers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-19-2024 10:42 AM
Hey all,
We just implemented ServiceNow ITSM in April and just started working on Discovery and ITOM. Our security team has noticed a spike in failed logins from the local Discovery Service account on the MID server. From what I can gather, it looks like Discovery tries every possible credential available to the MID server when it performs the discovery. I'm not seeing failures because I have the proper logins configured in Connections & Credentials. I'm guessing that Discovery is trying the Service credentials first, which fail, and then it tries the correct credentials and succeeds which is why I don't get a failure reported.
I can't think of a reason to try the Service credentials to perform discovery on domain-joined servers, but please let me know if there is one. Otherwise, is there a way to stop Discovery from trying this credential so I can make my security team happy?
Thanks,
Lance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-02-2025 09:28 PM
Hi Lance,
Typically discovery would try all the credentials first and if none succeed then it would "fallback" to the service account for your midserver. There is a mid server parameter that turns off the fallback option.
mid.powershell.local_mid_service_credential_fallback to False, default is true.
I am running into the same issue and will test it this week. Let me know if you had any better results.
Thanks
