Link Search Menu Expand Document
vault-connect

Pitfalls

This page list some pitfalls or issues you can encounter with ITOM and the dynamics credentials

  1. Cross Domain/Region credential replication
  2. Multi Active Directories
  3. Same credential, different login format

Cross Domain/Region credential replication

One major problem with dynamic credentials (password rotation, privileges escalation, account creation) is the replication across regions or domains. For example, if you rotate an account password, you can have a replication delay between your datacenters.

If you perform you discovery task on a server linked to a datacenter on which the password has not be updated, the authentication will fail.

To mitigate this replication problem, Vault Connect supports a Reply delay. Each time the password is changed, Vault Connect will reply to ServiceNow with the configured delay (e.g 30 seconds). As we cannot know exactly when a password is changed, this is a way give time to propagate the credential.

Multi Active Directories

Into large organizations, you can have multiple domain controllers. To bind a credential to a specific active directory you have to :

  • Mount into Vault an Active Directory by Path, for example : first-ad and second-ad
  • Configure into Vault Connect two aliases, one for each AD 
    vault.secret.ad.types=firstAD,secondAD
vault.secret.firstAD.basepath=first-ad/creds
vault.secret.secondAD.basepath=second-ad/creds
  • Configure the Credential ID into ServiceNow by prefixing it with the right alias
    • Credential ID : firstAD/discovery
    • Credential ID : secondAD/discovery

Same credential, different login format

Sometimes, the username can have a different format if you use it for a Linux authentication or a Windows authentication.

  • For Windows, the format can be : my-domain\username
  • For Linux, the format can be : username@my-domain.com

To handle this case, Vault Connect provides a Formatter that can be used on each field expected by ServiceNow.

vault.secret.ad.types=ad-win,ad-linux
vault.secret.ad-win.format.username=my-domain\%s
vault.secret.ad-linux.format.username=%s@my-domain.com

Back to top

Last updated 2020-12-29

Copyright © 2020 JFLA Consulting