Impact Platform Health Connection Validation Fails Due to KMF Module Access Policy (AutoGen Result = Reject)Issue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Impact Platform Health connection validation between two ServiceNow instances fails with the error "User not setup in target instance." The system is unable to decrypt the OAuth client secret stored in sys_auth_profile_oauth2 because an automatically generated Module Access Policy (MAP) is blocking the KMF cryptographic module from processing the decryption request. This error is often misleading. The surface-level message ("User not setup in target instance") points to a credential or user configuration issue, but the actual failure occurs earlier in the call chain — at the point where the platform attempts to decrypt the OAuth client secret before initiating the outbound token request. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The following entries appear in the node logs around the time the connection validation is triggered. Note that the surface error "User not setup in target instance" will appear in the UI, but the actual root cause is only visible in the system/node logs. Search by transaction ID or by the timeframe when the issue was reproduced. Outbound OAuth token request to the target instance returns HTTP 401 (access_denied). The subsequent validate_instance API call also returns HTTP 401. Search by the sys_id of the application registry or by the transaction from the outbound HTTP log timeframe to locate the underlying KMF errors shown below. 2026-05-25 02:46:37 (153) KMFGlideEncrypterModuleKeyProvider - WARNING - Access denied to crypto modulez2026-05-25 02:46:37 (151) KMFCallerPolicyAccessHandler - ERROR - Access Denied to cryptographic module 'global.com_glide_web_service_consumer_glideencrypter'. For guidance on this issue, please refer to KB1112530.2026-05-25 02:46:37 (169) GlideElementPassword2 - WARNING - Value present in the column: password from table: sys_auth_profile_oauth2 may not be encrypted2026-05-25 02:46:37 (169) LegacyEncrypter - WARNING - string may not be encrypted: Input length must be multiple of 8 when decrypting with padded cipher2026-05-25 02:46:37 (168) KMFFormattedEncrypter - WARNING - Encrypted String is not a valid.: No value present2026-05-25 02:46:38 (662) FileLogger OUTBOUND_HTTP: response_status=401 app_scope=sn_se hostname=<instancename>.service-now.com path=/api/sn_se/validate_instance/validate_instance2026-05-25 02:46:37 (918) OAuthTokenRequestor - OAuthProblemException: error=server_error, description=access_denied, responseStatus=02026-05-25 02:46:37 (916) SecurityLogFileHandler - event=HTTP_OUTBOUND_REQUEST response_status=401 source_table=sys_ui_action app_scope=sn_se hostname=<instancename>.service-now.com path=/oauth_token.do Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Zurich, Australia, and later releases. Behavior is consistent with KMF AutoGen policy enforcement introduced in Tokyo and carried forward in subsequent family releases. Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } As part of the platform KMF (Key Management Framework) mandate, each application scope must have its own cryptographic module containing the key used to encrypt and decrypt values stored in password2-type fields within that scope. Any entity — Script Include, Business Rule, ACL, Scheduled Job, UI Action, or Flow — that needs to decrypt a password2 field must have a Module Access Policy (MAP) granting it access to the relevant cryptographic module. When a script or application entity accesses a cryptographic module for the first time and no explicit MAP exists, the platform automatically generates an AutoGen MAP record. These AutoGen records are created with Result = Reject by default from the Tokyo family release onward. This default-deny behavior is by design as a security measure, but it means that any script that has not yet been explicitly granted access will be blocked from decrypting credential values. In this case, the call chain is as follows: The Impact Engine connection validation triggers a UI Action in the sn_se scope.The UI Action calls Script Include ScanEngineApiUtil to initiate the OAuth token request to the target instance.ScanEngineApiUtil attempts to decrypt the OAuth client secret from sys_auth_profile_oauth2 using the cryptographic module global.com_glide_web_service_consumer_glideencrypter.The platform evaluates the AutoGen MAP for ScanEngineApiUtil against this crypto module. The Result is set to Reject.Decryption is blocked. The OAuth token request fails with HTTP 401 (access_denied). The validate_instance call also fails with HTTP 401.The connection validation reports "User not setup in target instance." This pattern is particularly common after a clone or an upgrade, where AutoGen policies may regenerate or reset to Reject before they have been reviewed and approved by a Security Admin. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Step 1. Navigate to Key Management Framework > Module Access Policies (table: sys_kmf_crypto_caller_policy). Step 2. Filter the list using one of the following approaches: Filter by Crypto Module contains "com_glide_web_service_consumer_glideencrypter"Filter by Target contains ScanEngineApiUtil, orNavigate directly to the MAP record if the sys_id is known from the system logs Step 3. From the filtered list, identify the AutoGen record where: Type = ScriptScript Table = Script Include [sys_script_include]Target Script = ScanEngineApiUtilResult = Reject Step 4. Open the record and change the Result field from Reject to Track. Step 5. Save the record. Step 6. Re-run the Impact Engine connection validation. The validation should complete successfullyNote: Modification of any Module Access Policy record is gated by KMF roles. The logged-in user must have either the kmf_admin or kmf_cryptographic_manager role assigned. Refer to KMF Roles Product Documentation for details. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } KB1112530 - How to resolve Key Management Framework access denied errors for Password2 decryptionhttps://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1112530ServiceNow Docs (Zurich) - Module Access Policy Overview: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/key-management-framework/concept/module_access_policy_overview.htmlServiceNow Docs (Zurich) - Create a Module Access Policy: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/key-management-framework/task/create-module-access-policy.htmlCommunity Article - Using KMF for HMAC verification (MAP configuration guidance): https://developer.servicenow.com/blog.do?p=/post/using-kmf-for-hmac-verification/