LDAP Integration allows ServiceNow instances communicating with Active Directory (AD). This integration facilitates customers in following:
- Importing Users/Groups/Roles from AD to ServiceNow instance
- Schedule this import so as to keep the data in sync with AD
- Authenticate users from AD when login ServiceNow instance
Hence, ServiceNow does not store LDAP user’s password as they are authenticated from the AD. ServiceNow instance resides on cloud/on premise and AD is installed on a different server.
At times, LDAP connection to AD fails due to whatever reason and no LDAP user is able to login. This leaves a big impact on business and cause a P1 incident. The root cause of this connection failure can be anything like a local network outage in customer area, incorrect LDAP connection attempts post cloning, LDAP credentials change on AD etc.
ServiceNow datacenter hosts excellent monitoring tools which polls LDAP test connections in customer instances and if a test connection fails, it generates an alert which in turn generates a high priority incident. Be it an issue on ServiceNow instance side or in a local network on customer side, the major impact is LDAP users cannot login and cannot work unless the issue is fixed.
In order to mitigate the impact, ServiceNow has introduced LDAP One Time Password feature from Istanbul release onwards.
What is LDAP One Time Password?
This is a new feature introduced with ServiceNow Istanbul release assisting LDAP users generating a temporary local password to login ServiceNow when LDAP Server is down. This is available and enabled Out of the Box and requires no plugin activation. It is controlled using below system properties:
- glide.ldap.onetime.password.enabled - It's a boolean property used to enable/disable this feature
- glide.authenticate.onetime.password.validity - It's an integer property indicating temporary password validity in minutes
How Does This Feature work?
OLD Situation: Login error message when LDAP is unreachable:
Error message on screen: Your account is configured to use LDAP authentication, and we cannot currently connect to the LDAP server. Please contact your ServiceDesk to resolve this issue.
New Situation: Login error message when LDAP is unreachable
Here is the difference in error message: Your account is configured to use LDAP authentication, and we cannot currently connect to the LDAP server. Please contact your ServiceDesk to resolve this issue. To obtain a password for one-time login, click here. An email message containing the password will be sent to you.
User clicks the hyper link click here and platform sends a one-time password to user’s email address for next login as shown in below screen:
Behind The Interface In Platform:
- When user clicks on link click here, platform generates a one-time password in security_nonce table which can be used once and expires after used.
- By default this password is valid for 10 minutes but can be configured with system property glide.authenticate.onetime.password.validity.
- Post one-time password generation, platform generates an event password.online.
- This event in turn triggers email notification OneTimePasswordEmailNotification.
Troubleshooting Tips when user does not receive One Time Password:
- Login as an admin and check password.online in event logs.
- If event log is there, make sure notification OneTimePasswordEmailNotification is enabled in user profile.
- User profile has a valid email address.
- Open a Hi incident when you see steps 1 to 3 are OK and user still missing one-time password email.
This is a small feature but I find it a great enhancement as it brings down the impact of LDAP user login issue tremendously when LDAP Server is down and generates a big value for ServiceNow customers in terms of business continuity.