logo

NJP

← Back to News

ServiceNow dynatraceapi user getting locked out...what happened behind the scenes

Import · Nov 16, 2022 · article
Ruen Smith

Investigation Summary:

- login fails for today 221when I reviewed:

-DynatraceAPI user

KB1008050 - Specify lockout for failed login attempts

- audit list of locked out for user DynatraceAPI

- every 15mins 'system' unlocks the user account then 'Guest Guest' locks - As per documentation:

Uses the value of the glide.user.max_unlock_attempts property to set the limit for failed login attempts.

Unlocks the user account after the time period that is specified for the glide.user.unlock_timeout_in_mins property. If no value is specified, then the system unlocks the user account after the default period of 15 minutes.

- SGO-Dynatrace (active) - no related tasks as flow seems to have ACL error

- Flow error:

https://.service-now.com/$flow-designer.do?sysparm_nostack=true#/operations/context/11ec55fb0dc35dd01aab2a0ea225ff19

- I see many attempts for the REST calls with response code 401 which we can assume when the user is locked e.g :

Nov 15 17:15:55 adc03a adcv2_ministryofju766_lhr100[6395]: [adcv2_access] src=35.178.107.162 vip=148.139.13.31 instance=xxxxxx node=10.172.128.18:16011 method=POST

uri=/api/sn_em_connector/em/inbound_event?source=SGO-Dynatrace

reqtime=0.013 rtt32=9322 uct=0.000 uht=0.012 urt=0.012 us=401 rescode=401 ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256 ssl_protocol=TLSv1.2 ua="ruxit server" ssib=0 h=h1 - When the user is unlocked I see the following error message: API_INT-thread-4 SYSTEM txid=3258dd3f1b43 Background message, type:error, message: Password must contain at least 1 uppercase letter(s). Next Steps: - Can you disable SGO-Dynatrace and see if you still get the lockouts - Can you check your user password for DynatraceAPI although it still appears to authenticate. - I will check if there are any known issue particularly for multiple sub-prod instances all connecting to a common Dynatrace sub prod,

Notes:

SGO-Dynatrace (alert management rule) was modified to include a customised sub-flow, but the alerts/incidents continued to create after it was disabled . Querying whether it can just be disabled OR better still, identify the culprit ACL and add the dynatraceapi user to the ACL permissions?

View original source

http://www.cloudminus89.com/2022/11/servicenow-dynatraceapi-user-getting.html