Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Receiving a 401 Unauthorized error response from ServiceNow

YJ
Explorer
‎03-05-2024 04:49 PM

Hi,

Have anyone faced this issue where you received a Unauthorized 401 error response from ServiceNow?

The scenario is as below.

We are using a AD service account userA to interact with ServiceNow for incident creation .

On Splunk Side, we are using Basic Auth.

On AD, user account is set to never expired.  

So far below we have checked the service account status. No changes was made but the issue was sudden.

Ran the query 

>index=_internal sourcetype="ta_snow_ticket host IN ( search head)

Above query was the one, we saw the Return code is 401 (Unauthorized)

What else can be checked? As of now, we are planning to reset the service account password and try again.

But if it works the issue is finding what cause the password to be changed when it have been set to never expires.

 

Labels (2)
0 Karma
Reply

PaulPanther
Builder
‎03-26-2024 08:22 AM

Have you verified that the used user has permissions to access ServiceNow via API? You could verify that with postman or a plain curl call.

 

0 Karma
Reply

YJ
Explorer
‎03-26-2024 04:44 PM

Hi Paul,

That was what I was suspecting, the service account permission to access the Servicenow. The only problem i have is getting the other team(Servicenow) to provide info for my troubleshooting as they are denying that it is their end with issue. I was thinking since the service account is an AD account, there will surely be a security group assign to the service account . I have actually point out that the service account did not have any grouping assigned to it thus there could be a possibility that the servicenow account does not have the permission to access the Servicenow. 

There were actually similar issues where we found that some AD users security group were missing after an issue happened. I will try to go through this path and check on the permission again.. Thanks for the advice.

0 Karma
Reply

mjones1
New Member
2 weeks ago

As a ServiceNow Admin, this is DEFINITELY a problem on the ServiceNow side.  Accounts calling the ServiceNow REST API need to be configured as web service only accounts, and have the correct roles applied based on what you're trying to read.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...