Troubleshooting Azure key Vault based credentials on DiscoveryIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Credentials based on Azure key vault fail causing the discovery of the device to fail. Troubleshooting steps below will assist in the identifying the root cause Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } * Discovery of the device results in credentials failure * Error seen "Problem with Client's Credentials Resolver" Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ALL Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Setup of Azure key Vault as external credential resolver : https://www.servicenow.com/community/itom-articles/configuring-external-vault-integration-azure-key-vault/ta-p/2945538 Working Azure key vault Credential resolver with debug logs on MID Server looks like below. To add the debug log to MID Server use the steps given in the link : https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1002812 ################# 2025-11-12T17:11:32.593+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [CredentialResolverProxy:324] Calling CredentialResolver for Credential(<CREDENTIALS_USER>) to resolve <CREDENTIALS_USER>/windows/10.0.194.39 with Vault provider: Azure KeyVault lookup key: credential_id Resolution type: com.snc.mid.external.credential.resolver.azure_key_vault.AzureKeyVaultCredentialResolver2025-11-12T17:11:32.594+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [CredentialResolverProxy:221] Resolving credential using FQCN (com.snc.mid.external.credential.resolver.azure_key_vault.AzureKeyVaultCredentialResolver) with configuration map ({ext.cred.azure.vault_name=itom-internal-systems, ext.cred.azure.tenant_id=<TENANT_ID>, ext.cred.azure.client_id=<CLIENT_ID>, ext.cred.azure.secret_key=******})2025-11-12T17:11:32.594+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureKeyVaultCredentialResolver:75] Resolve method called with id= credType=windows dataType=secrets apiVersion=7.42025-11-12T17:11:32.594+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureAccessTokenManager:360] (128)AzureAccessTokenManager - getTokenWithSecretKey called with arguments [tenantId=<TENANT_ID>, clientId=<CLIENT_ID>, secretKey=******] scope =https://vault.azure.net/.default2025-11-12T17:11:32.594+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureAccessTokenManager:269] (128)AzureAccessTokenManager - getToken with AzureServicePrincipal [ClientSecret[tenantId='<TENANT_ID>', clientId='<CLIENT_ID>', secretKey='******']]2025-11-12T17:11:32.594+1300 INFO (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureAccessTokenManager:235] (128)AzureAccessTokenManager - Found cached token for key [<CLIENT_ID>+<TENANT_ID>+a2c441663ee1dfa2d752d883ce7be920be6cca89e97882be0bd684a734d1a807]2025-11-12T17:11:32.595+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureKeyVaultCredentialResolver:81] Got token from azure successfully2025-11-12T17:11:32.595+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureKeyVaultCredentialResolver:99] Build AzureVaultRequest with vaultName = itom-internal-systems id = <CREDENTIALS_USER> token = **** apiVersion = 7.42025-11-12T17:11:32.595+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureVaultService:75] getDataWithAuthToken called with endpoint = https://<AZURE_KEY_VAULT_ENDPOINT>/secrets/<CREDENTIALS_USER>?api-version=7.42025-11-12T17:11:32.813+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [AzureVaultService:84] getDataWithAuthToken http status code: 2002025-11-12T17:11:32.816+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [VaultCredentialUtil:137] Username after prepending domain name from domain property: <DOMAIN_NAME>2025-11-12T17:11:32.817+1300 INFO (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [VaultCredentialUtil:120] Credential fields retrieved from vault [pswd, type, user].Verify against required filed for windows credential type on product documentation site2025-11-12T17:11:32.817+1300 DEBUG (Worker-Interactive:CommandPipeline-f4d8df9f33c9f210323854b46d5c7be3) [CredentialResolverProxy:357] resolve() for Credential(<CREDENTIALS_USER>) took: 224 ms. ################# From the log above check the outcome of API call being made to the Azure key Vault "/secrets/<CREDENTIALS_USER>?api-version=7.4". More on the API is detailed in the Microsoft Site : https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal * Make sure the above API returns HTTP 200 response. If we are not getting 200 response, work with Microsoft / Azure key vault admins to assist. To get more debug logs on the MID API query we can use a) Wireshark on MID Server or b) use the following on wrapper configuration. wrapper.java.additional.3=-Djavax.net.debug=all More on wrapper configuration in the KB : https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0717261 After fixing the Azure key vault API for returning the http response 200 and the credentials properly, next step is to check the connection with the devices such as windows , linux, storage device etc. However for some of the credentials type such as storage(CIM) servicenow does not provide the "Test Credentials" UI Action making the testing slightly complex. In such cases, please use quick discovery of the device or the method below. * For Testing, please use the "Invalidate external credential cache" UI action to make sure to flush the credentials Cache on MID Server * While debugging the network traffic between MID Server and external device, if we see session contains no certificate, please add SSL Certs to the MID Server trust store and retest. * For storage devices we can use the tool https://<instance_name>/cim_query2.do CIM Query Tool This tool can prove to be very useful for debugging connectivity and credentials-related issues apart from various API responses from CIM server.There is an OOB tool in the instance https://<INSTANCE_NAME>/cim_query2.do , where we can obtain the results by querying the SMI-S server. It looks like the below Fill in the IP address of CIM server, namespace, mid-server, and choose the desired heading and identifierQuery for the result.Service Location Protocol (SLP) is an ad hoc protocol for retrieving and associating configuration information about CIM server's exact interop namespaces. ServiceNow Discovery retrieves the interop namespace of a CIM server via SLP and passes that information to the CIM Classify probe. Please make sure to select the correct namespace while performing CIM queries. Alternatively, "Namespace" query can be used to retrieve all the namespaces for a given vendor.If there are any connectivity or credential-related issues step#4 will fail, please correct the error reported and attempt step#4."CIM Query" option allows you to make queries that are not supported by the query language as well.Please refer to the help section of the above page for more information. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } https://www.servicenow.com/docs/r/servicenow-platform/mid-server/add-ssl-certificates.html