Windows security event (ID 4625) is logged with Discovery


Even with credential affinities, the target machine may log a Windows security event with ID 4625. It  appears in the Windows Event Viewer under Windows Logs > Security as "An account failed to log on."
Discovery on the instance is successful.

Steps to Reproduce

Prerequisite Setup


  1. Add a Windows credential to successfully discover the Windows machine B.

  2. Run a discovery to target Windows machine B with MID Server A.

  3. Allow discovery to finish successfully.

  4. Log in to machine B and open the Event Viewer.

    NOTE: There should be a 4625 event logged with the user name that logged in to machine A.

    • Keywords: Audit Failure
    • Source: Microsoft Windows security auditing.
    • Event ID: 4625
    • Task Category: Logon

    Within the General Details area, messages will indicate that the attempt came from the MID Server host within the Network Information section.

  5. Run discovery again.

    NOTE: Even though a credential affinity is used, Microsoft will log an Audit Failure event to notify administrators when impersonation is being used.




For a Windows probe, ServiceNow uses impersonation to run a script as a credentialed user on a remote target. 

To verify that you have access to the target machine, execute the following command:
$results = gwmi win32_operatingsystem -computer $computer -credential $cred -impersonation 3 -authentication 6 -EA "Stop";

If this command fails, iterate to the next credential. If it passes, continue to execute the intended script against the target.

Based on the post When using Get-WMIObject, it uses current user credential first before using "-Credential" parameter on Microsoft forums, when impersonation is used, Windows will first attempt to run as the current user (or service account) before using the specified credential. Therefore, this is working as designed per Microsoft. Impersonation has existed in discovery for a while so at least one security event per probe will always be logged per probe; more if other commands in the script require impersonation.

Windows first tries to authenticate as the MID Server Windows service account. If this account has access to the target, no Audit Failure event is logged. To accomplish this, have a MID Server discover targets within the same domain.

Related Problem: PRB1239785