Excluding table-per-class (TPC) extended tables from a clone can cause orphaned Discovery Credentials with the 'Record not found' error when trying to open them


Cloning may cause orphaned records in the discovery_credentials table, even if there is a data preserver set up on the target instance, as well as the table being added to the excluded tables list on the source instance. This should mean that the table does not get touched at all during the clone, however, it is causing orphaned records.

Symptoms include those listed in the article below:
KB0719158 Discovery Credentials - Orphaned cause "SEVERE *** ERROR *** An error occurred while decrypting credentials from instance"

Steps to Reproduce

  1. Create discovery credentials on your source instance.
  2. Create discovery credentials on your target instance.
  3. Preserve only the Credentials [discovery_credentials] table, and none of the child tables.
  4. Clone from your source instance to your target instance. 
  5. After the clone has completed, browse discovery_credentials records on your target instance.
  6. Viewing the 'Record not found' message when trying to open a credential shows orphaned records have been generated. 



This problem is fixed for specifically the discovery_credentials table from December 2019. Other table-per-class extended table may still have a similar problem during clones.You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.

The workaround consists in creating a Data Preserver record for each of the following tables:

LabelNameExtends table
Ansible Tower Credentialssn_cfg_ansible_credentialsCredentials
API Key Credentialsapi_key_credentialsCredentials
Applicative Credentialssa_applicative_credentialsCredentials
AWS Credentialsaws_credentialsCredentials
Azure Enterprise Agreement Credentialsea_azure_credentialsCredentials
Basic Auth Credentialsbasic_auth_credentialsCredentials
Chef Server Credentialssn_cfg_chef_credentialsCredentials
CIM Credentialscim_credentialsCredentials
Cloud Management Credentialcloud_credentialCredentials
Azure Service Principalazure_service_principalCloud Management Credential
Cloud Mgmt Credentialscmdb_cloud_mgmt_credentialsCredentials
CloudFoundry Credentialssn_itom_pattern_pcf_credentialsCredentials
CMP Node Credentialsn_cmp_node_credentialsCredentials
CMP SSH Key Pairsn_cmp_ssh_credentialsCredentials
Google API Credentialsgcp_credentialsCredentials
IBM Credentialsibm_credentialsCredentials
Infoblox Credentialssn_cmp_infoblox_credentialsCredentials
JDBC Credentialsjdbc_credentialsCredentials
JMS Credentialsjms_credentialsCredentials
Kubernetes Credentialssn_itom_pattern_kubernetes_credentialsCredentials
OAuth 2.0 Credentialsoauth_2_0_credentialsCredentials
OpenStack Credentialsopenstack_credentialsCredentials
SNMP Community Credentials (Password Only)snmp_credentialsCredentials
SNMPv3 Credentialssnmpv3_credentialsCredentials
SSH Credentialsssh_credentialsCredentials
SSH Private Key Credentialsssh_private_key_credentialsCredentials
VMware Credentialsvmware_credentialsCredentials
Windows Credentialswindows_credentialsCredentials


Note: This list is from a New York Patch 2 instance that has most ITOM- and Integrations-related plugins installed. Your instance may not have some of those, or maybe additional ones. The following URL will list all the tables for your instance.


Please follow the steps below:

  1. Verify that the Discovery plugin is installed.
  2. In the Navigator, search for Credentials.
    3. Verify there are a variety of credential types (SSH, Windows, SNMP).
    4. On the source instance of a clone, type Preserve Data.
    5. Select Preserve Data under Clone Definition.
    6. Click on the New button.
    7. Name your preserver (i.e. SNMP to preserve the SNMP credentials).
    8. In the filter, type Credential, which should filter for all but the unusual names like Azure Service Principal and CMP SSH Key Pair, which would need a different filter)
    9. Notice a host of tables, which are extensions of discovery_credentials, show up as suggestions.
    10. Select the table for each type of credential (i.e. snmp_credentials to preserve the SNMP credentials).
    11. Save the Preserver.
    12. Repeat steps 6 to 11 for each distinct type of credential you use, and so need to preserve to avoid this problem. Although it would be safest to add preservers for all listed, only the ones you actually have records in must be preserved.
    13. Go to your source instance and Request a clone using the target instance where you defined the new data preservers for each type of credential.
    14. When the clone is complete, return to the Credentials list on the target instance.
    15. Select one of the credentials. Notice the record will have been preserved and there are no orphaned records.

Note: When creating credentials on one instance, you should export the discovery credentials data using XML Export and import them into your other instances using XML Import. This will prevent creating the same discovery credentials data with different sys_ids.

Related Problem: PRB1305469