Get started with credentials

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Get started with credentials

    The MID Server in ServiceNow uses credentials stored in theCredentials [discoverycredentials]table to access resources for Discovery, Orchestration, Service Mapping, and Cloud Management. Proper credential management is essential for secure and efficient network device discovery and orchestration actions.

    Show full answer Show less

    How MID Servers Use Credentials

    • Windows MID Servers: Use the login credentials of the MID Server service on the host machine and require at least local administrator privileges.
    • Linux/UNIX and Network Devices: Use SSH and SNMP credentials configured in Discovery > Credentials.
    • Orchestration: Uses credentials to execute commands via Workflow activities; supports SSH, SNMP, plus specific Windows (PowerShell) and VMware credentials.

    Encryption and Security

    Credentials are stored encrypted in the platform and cannot be viewed once entered. Decryption and encryption involve multiple steps: the instance decrypts with a fixed key, re-encrypts with the MID Server’s public key, and credentials are securely transmitted and decrypted on the MID Server using SSL and private keys. Note that multi-tenant instances do not have separate encryption keys.

    Credential Ordering and Affinity

    • Credentials can be assigned an order value to prioritize their use. If no order is set, credentials are tried randomly.
    • After successful use, Discovery and Orchestration create a credential affinity between credentials and devices, stored in the Credential Affinity [dscycredentialsaffinity] table.
    • When credentials change, all are retried to establish a new affinity.
    • Ordering improves efficiency, especially when many credentials exist but a few are used frequently, reducing login failures and speeding discovery and orchestration.

    Credential Aliases

    • Available for both Discovery and Orchestration to provide flexible credential management.
    • For Discovery, aliases enable credential filtering, multiple aliases per schedule, and preventing affinities with sensitive credentials.
    • For Orchestration, aliases allow assigning distinct credentials to specific workflow activities or Flow Designer actions, including multiple occurrences of the same activity.

    External Credential Stores

    To avoid storing credentials directly in the ServiceNow instance, customers can integrate external credential repositories. CyberArk is the supported external store, but other external stores can be configured via the ServiceNow API.

    The MID Server uses the credentials you create in the Credentials [discovery_credentials] table to access resources for Discovery, Orchestration, Service Mapping, and Cloud Management.

    How MID Servers use credentials

    By default, Windows MID Servers use the login credentials of the MID Server service on the host machine to discover Windows devices in the network. You should Configure Windows MID Server service credentials so that they have at least local administrator privileges. For Linux and UNIX machines and network devices, the MID Server uses the SSH and SNMP credentials configured in the instance in Discovery > Credentials.

    MID Servers that Orchestration uses must have access to the necessary credentials to execute commands on computers in the network, as specified by the Workflow activities. Orchestration can use the same SSH and SNMP credentials as Discovery, but has two additional credentials designed for specific Workflow activities: Windows (for PowerShell activities) and VMware.

    Encryption and decryption

    The platform stores credentials in an encrypted field on the Credentials [discovery_credentials] table. Once they are entered, they cannot be viewed.

    When the MID Server requests credentials, the ServiceNow AI Platform decrypts the credentials using the following process:
    1. The credentials are decrypted on the instance with the password2 fixed key.
    2. The credentials are re-encrypted on the instance with the MID Server's public key.
    3. The credentials are encrypted on the load balancer with SSL.
    4. The credentials are decrypted on the MID Server with SSL.
    5. The credentials are decrypted on the MID Server with the MID Server's private key.
    Note:
    The platform does not have separate encryption keys for multi-tenant instances.

    Credential order

    Credentials can be assigned an order value in the Credentials Form, which forces the application to try all the credentials at their disposal in a certain sequence. If you do not specify an order value, the application tries the credentials in the Credentials [discovery_credential] table randomly, until it finds one that works. For example, when:
    • Orchestration attempts to run a command on an SSH server, such as a Linux or a UNIX machine.
    • Discovery attempts to query an SNMP device, such as a printer, router, or UPS.
    After identifying the credentials for a device, Discovery and Orchestration create an affinity between the credentials and the device using the Credential Affinity [dscy_credentials_affinity] table. All subsequent discoveries or Orchestration activities attempt to match the credentials in this table with a device for which an affinity exists. If credentials for a device change, Discovery and Orchestration try all available credentials again until they create a new affinity.
    Note:
    If Orchestration and Discovery are installed, and credential alias is enabled, multiple affinities can exist. In this case, the platform looks up credentials for each affinity and inserts the credential for the affinity with the lowest order into the probe.
    Ordering credentials is useful in the following situations:
    • The credentials table contains many credentials, with some used more frequently than others. For example, the table contains 150 SSH credentials, and five of those credentials are used to log in to 90% of the devices. It is good practice to configure those five credentials with low-order numbers, which place them at the top of the execution list. Discovery and Orchestration work faster when they try these common credentials first. After the first successful connection, the ServiceNow AI Platform knows which credentials to use the next time for each device.
    • The ServiceNow AI Platform has aggressive login security. For example, configure database credentials with a low-order value if Solaris database servers in the network only provide three failed login attempts before locking out the MID Server.

    Credential aliases

    Credential aliases are available for Discovery and Orchestration.

    Aliases for Discovery enable an administrator to:
    • Employ a credential filtering behavior with configurable levels of compliance.
    • Assign multiple credential aliases to a Discovery schedule.
    • Prevent the creation of credential affinities that use inappropriate or sensitive credentials. To learn more, see credential affinities.
    Aliases for Orchestration enable workflow creators to:
    • Assign individual credentials to any activity in an Orchestration workflow
    • Assign individual credentials to any action in Flow Designer
    • Assign different credentials to each occurrence of the same activity type in an Orchestration workflow.
    • Assign different credentials to each occurrence of the same action in designer flow.

    External credential stores

    If you do not want credentials stored in your instance, you can use external credential repositories. External credential stores save the credentials in an external site that your instance can access. CyberArk is the only supported external credential store. However, other external stores can be configured using the ServiceNow API.