Windows Authentication Compatibility for MID Server related ServiceNow FeaturesIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Due to known security vulnerabilities in NTLM, our customers may want to limit older Windows Authentication protocols, such as NTMLv1 and NTMLv2, or use only the Kerberos protocol, which Microsoft has been recommending since at least 2010. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Not release specific. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When Windows type Credentials are entered in the credentials table in the instance, there is no option to specify which protocol is used, because that isn't something ServiceNow can control in the first place. It's up to the Powershell and Windows OS stack to negotiate the authentication, which ever way works. Limiting the available protocols just limits what Windows can negotiate. That means features like Discovery, Orchestration and IntegrationHub that use Powershell probes via MID Server, and Windows type credentials from the instance, are compatible with any Windows Authentication protocols - NTLMv1, NTLMv2, Kerberos. Similarly, using WinRM, over SSL or not, and gMSA and JEA, should also not cause any problems if those are configured correctly. Any limitations you find will be due to Microsoft's limitations, or your additional limitations and configurations set at the server or group policy level, and usually not Servicenow's. To be sure you won't have problem: Read up on NTML to understand the history of it, and to get the terminology straight.https://en.wikipedia.org/wiki/NTLMhttps://en.wikipedia.org/wiki/Kerberos_(protocol)The MID Server application must be running on Windows. Linux MID Servers can't do Powershell probes. (Powershell <=5 is required, which can only run on Windows)Confirm that any MID Server hosts, plus all Windows endpoints the features communicate with work with NTLMv2/Kerberos in general. If it doesn't Authenticate without a MID Server involved, it won't with.Confirm all Windows computers are members of a Windows Domain. Ideally have the MID Server host, MID Server Service user, Windows credential for the endpoint, and Endpoint computer in the same Domain to avoid cross-domain issues. Ensure that the hostname of the endpoint in the DNS matches the hostname in Active Directory (AD). Kerberos connects by hostname, not IP, and for authentication to work it has to be the hostname in AD. If the probe does a reverse DNS lookup to convert the IP to name, a different name returned by DNS will cause the probe to fail.Check if there are any Workgroup computers (not Domain members) that are limited to only NTLMv1, which may not be discoverable after the upgrade to NTLMv2. Servers in a DMZ are often not domain members.Consider using Kerberos authentication instead of NTLMv2, as Microsoft has recommended not using NTLM for many years, and Kerberos is the default in a domain environment.And then there is always the solution of moving away from an agent-less solution. You can use Agent Client Collector for Visibility instead of Horizontal Discovery, or the ACC Integration Hub Spoke instead of Powershell probes/actions in Orchestration/Integration Hub. This avoids needing inbound authentication for the endpoints. This approach can be beneficial in scenarios where setting up inbound authentication for endpoints is complex or not feasible, thereby simplifying the overall process and enhancing security by reducing potential entry points for unauthorized access. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } KB0753041 Discovery authentication using Kerberos vs. NTLMKB1156845 Troubleshooting Kerberos authentication during Discovery