ServiceNow dynatraceapi user getting locked out...what happened behind the scenes

 From ServiceNow Support:



Investigation Summary:
- login fails for today 221when I reviewed:


-DynatraceAPI user


KB1008050 - Specify lockout for failed login attempts
- audit list of locked out for user DynatraceAPI


- every 15mins 'system' unlocks the user account then 'Guest Guest' locks
- As per documentation:
Uses the value of the glide.user.max_unlock_attempts property to set the limit for failed login attempts.
Unlocks the user account after the time period that is specified for the glide.user.unlock_timeout_in_mins property. If no value is specified, then the system unlocks the user account after the default period of 15 minutes.
- SGO-Dynatrace (active) - no related tasks as flow seems to have ACL error


- Flow error:

https://<INSTANCE>.service-now.com/$flow-designer.do?sysparm_nostack=true#/operations/context/11ec55fb0dc35dd01aab2a0ea225ff19


- I see many attempts for the REST calls with response code 401 which we can assume when the user is locked e.g :
Nov 15 17:15:55 adc03a adcv2_ministryofju766_lhr100[6395]: [adcv2_access] src=35.178.107.162 vip=148.139.13.31 instance=xxxxxx node=10.172.128.18:16011 method=POST

uri=/api/sn_em_connector/em/inbound_event?source=SGO-Dynatrace

reqtime=0.013 rtt32=9322 uct=0.000 uht=0.012 urt=0.012 us=401 rescode=401 ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256 ssl_protocol=TLSv1.2 ua="ruxit server" ssib=0 h=h1
- When the user is unlocked I see the following error message:
API_INT-thread-4 SYSTEM txid=3258dd3f1b43 Background message, type:error, message: Password must contain at least 1 uppercase letter(s).

Next Steps:
- Can you disable SGO-Dynatrace and see if you still get the lockouts
- Can you check your user password for DynatraceAPI although it still appears to authenticate.
- I will check if there are any known issue particularly for multiple sub-prod instances all connecting to a common Dynatrace sub prod,

Notes:

SGO-Dynatrace (alert management rule) was modified to include a customised sub-flow, but the alerts/incidents continued to create after it was disabled . Querying whether it can just be disabled OR better still, identify the culprit ACL and add the dynatraceapi user to the ACL permissions?

Comments

Popular posts from this blog

GlideRecord setValue

URL link in addInfoMessage