Azure Key Vault integration with ServiceNow External Credential Store – Common setup issues, root causes, and resolutions - Support and Troubleshooting

Azure Key Vault integration with ServiceNow External Credential Store – Common setup issues, root causes, and resolutions Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Credentials stored in Azure Key Vault fail during Test Credential and/or Discovery when resolved by the MID Server. Typical errors include Azure parameters showing as null , socket resets to *.vault.azure.net:443 , or secret JSON mismatches that lead to invalid username/credential parsing.

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Test of a credential configured with External credential store = Azure Key Vault fails.

MID logs show one or more of:

AzureAccessTokenManager - getTokenWithSecretKey ... tenantId=null, clientId=null

MID Server is hosted outside of Azure cloud. Please check your Azure credential configuration in MID Server

read ECONNRESET / socket exception to https:// .vault.azure.net

Errors indicating an invalid or missing username/secret derived from the retrieved JSON

After correcting setup (config + network + JSON + mapping), external-store credentials test successful and Discovery proceeds.

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Any release

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } - MID parameters added but MID not restarted → values remain null in logs (e.g., tenantId=null, clientId=null ).

- Incorrect or missing config.xml parameters (for MID hosted outside Azure):

ext.cred.azure.tenant_id, ext.cred.azure.client_id, ext.cred.azure.secret_key, ext.cred.azure.vault_name

- Network/TLS egress blocked from MID to *.vault.azure.net:443 (or SSL interception/proxy breakage) → ECONNRESET/socket errors.

- Credential ID mapping in the ServiceNow credential record is incorrect (e.g., using only when vault_name is not set in config.xml ).

- Secret JSON schema in Key Vault does not match what the selected credential type expects (missing required keys, malformed PEM/string, wrong type , etc.).

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Perform steps in order: 1. Configure MID (Outside Azure Only) Steps:

Edit the agent/config.xml file on the MID host. (Parameter names are case- and dot-sensitive.)

"/> "/> "/> "/>

Important: Restart the MID Server service after saving the file.

Validation:

The next MID log entries should show: tenantId= and clientId= (not null ).

Note:

If the MID is not restarted after adding or changing parameters, the logs will continue to show tenantId=null , clientId=null .

2. Configure MID (Inside Azure Only) Steps:

Use Managed Identity (system- or user-assigned) on the MID host.

Grant the identity Get (and optionally List) Secret permissions on the Key Vault.

No client secret parameters are required in config.xml .

Validation:

The MID logs should show successful token retrieval without using a client secret.

3. Allow Outbound Network Access Steps:

Allow outbound HTTPS (443) from the MID host to:

*.vault.azure.net

Azure AD login endpoint (e.g., login.microsoftonline.com ).

If a proxy is used, configure the MID to use it and ensure the proxy can reach these endpoints.

Quick Check:

From the MID host, a Postman or curl “GET secret” command should succeed (no ECONNRESET ).

4. Set Correct Credential ID in ServiceNow Steps:

Open the credential record where External credential store = Azure Key Vault.

Use the appropriate format for the Credential ID:

Condition Credential ID Format ext.cred.azure.vault_name is set in config.xml ext.cred.azure.vault_name is not set : 5. Store Secret in Correct JSON Format Use these examples as a guide (actual fields depend on credential type):

Example 1 – Username/Password

{ "type": " ", "user": " ", "password": " " } Example 2 – Key-Based Authentication

{ "type": " ", "user": " ", "private_key": " ", "passphrase": "" } Tips:

-Ensure valid JSON (no hidden or special characters).

-Preserve line breaks in PEM or key content.

-Include all required fields for the credential type.

6. Re-Test and Validate Steps:

-Use Test Credential → expected result: Success.

-Re-run Discovery using the same credential.

-Verify in MID logs that authentication succeeds.

Common Errors and Quick Fixes Symptom Root Cause Action tenantId=null, clientId=null MID not restarted after config changes Restart MID Server read ECONNRESET to vault.azure.net:443 Network or proxy blocking HTTPS Allow 443 and disable SSL inspection Invalid or empty username in logs Incorrect or missing JSON fields Fix JSON in Key Vault Local creds work, external fail Wrong Credential ID format Use correct format from table above Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } MID Server Azure Key Vault integration