ATF Test Generator and Cloud Runner plugin enables mTLS and may impact proxy-based accessIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } After installing the ATF Test Generator and Cloud Runner store application on a ServiceNow instance, proxy-based clients and enterprise VDI environments may be unable to access the instance. Users receive an "Access Denied" error indicating that mutual authentication is required, even though mTLS was not explicitly configured or desired for general instance access. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Proxy-based clients or VDI environments receive an error such as: "Access Denied, as the website requiring mutual authentication is not allowed."Running an OpenSSL handshake test from the affected client environment shows "Acceptable client certificate CA names" in the output, indicating the load balancer is requesting a client certificate.Non-proxy clients (e.g., direct browser access) may not be affected and continue to function normally.The issue may appear after installing the ATF Test Generator and Cloud Runner plugin, or after enabling any feature that depends on Certificate-Based Authentication (CBA).Disabling mTLS at the instance level (setting glide.authenticate.mutual.enabled to false) alone does not resolve the issue. Facts<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The ATF Test Generator and Cloud Runner is a store application, separate from the base Automated Test Framework (ATF) which is out-of-the-box.Installing the ATF Test Generator and Cloud Runner plugin automatically enables mTLS as a prerequisite and inserts a CA certificate into the sys_ca_certificate table.Once the CA certificate is propagated to the Application Delivery Controller (ADC/load balancer), the load balancer begins sending a TLS CertificateRequest during the handshake.The CertificateRequest is optional at the TLS level; however, certain enterprise proxies automatically respond by sending a client certificate.If the proxy-provided certificate cannot be validated by the load balancer, the TLS handshake fails and access is blocked.The plugin cannot be uninstalled once activated. Inactivating its application menu only hides the UI and does not reverse the mTLS configuration.The base ATF plugin (sn_atf.runner.enabled) has no dependency on mTLS and does not modify the ADC/load balancer configuration. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All currently supported ServiceNow releases (Yokohama and later). Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The ATF Test Generator and Cloud Runner plugin requires mTLS to function. When the plugin is installed, it: Automatically enables mTLS on the instance.Inserts a CA certificate into the sys_ca_certificate table.The CA certificate is propagated to the ADC (load balancer).The ADC begins sending an optional TLS CertificateRequest to all clients connecting to the instance hostname. Enterprise proxies often automatically respond to any CertificateRequest by sending a client certificate. If the load balancer cannot validate the proxy-provided certificate, the TLS handshake fails, resulting in access being denied. Non-proxy clients (direct browsers) typically do not send a certificate when the request is optional, so their TLS handshake completes successfully and access continues unaffected. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Approach A: Use base ATF only (recommended if Cloud Runner is not required) The base Automated Test Framework (ATF) and the Client Test Runner can be used without installing the ATF Test Generator and Cloud Runner. The base ATF does not require mTLS and will not modify the ADC configuration. Approach B: Use Cloud Runner but remove the CA certificate after installation If the ATF Test Generator and Cloud Runner plugin has already been installed or is required: Navigate to the sys_ca_certificate table and identify the CA certificate that was automatically inserted during installation of the ATF Test Generator and Cloud Runner plugin.Delete the CA certificate from the sys_ca_certificate table.Cloud Runner tests will continue to run as long as mTLS remains enabled on the instance.UI warnings about mTLS configuration may appear after the certificate is removed. These warnings are safe to dismiss. Note: The CA certificate will always be re-inserted if the plugin is reinstalled. Manual removal after installation is the workaround. Approach C: Remove stale ADC configuration (if mTLS is no longer desired) If mTLS was previously enabled and subsequently disabled at the instance level, but the issue persists: Set the system property glide.authenticate.mutual.enabled to false.Restart all application nodes.Verify the TLS handshake from the affected client environment by running: openssl s_client -tls1_2 -connect <instance>.service-now.com:443 If the output shows "No client certificate CA names sent", mTLS is fully disabled.If the output shows "Acceptable client certificate CA names", a residual CA certificate configuration may still be associated on the ADC. Contact Technical Support to request cleanup of the stale CA certificate association on the load balancer. Verification: After applying the resolution, run the following command from the client environment that was previously failing: openssl s_client -tls1_2 -connect <instance>.service-now.com:443 Expected result: The output should show "No client certificate CA names sent", confirming that the load balancer is no longer requesting client certificates.