MID Server Goes Down Intermittently — Authentication Failure Accessing KMF Signature Validation EndpointIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } MID Server Goes Down Intermittently — Authentication Failure Accessing KMF Signature Validation Endpoint Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } MID Servers intermittently transition to a **Down** or **Not Responding** state, even though no infrastructure changes occurred. - Restarting the MID Server temporarily restores normal operation, but the issue recurs. - Other MID Servers using the same service account credentials continue to function normally. - The following error appears in the MID Server log or system logs when the MID Server goes down: User is not authenticated Details: Required to provide Auth information Outbound HTTP log on the instance shows a failed request to the endpoint: /api/sn_kmf/v1/signature/validation_configuration No Discovery failures or functional errors were observed before the outage Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ALL Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The MID Server service account is missing the **`sn_kmf_read`** role (and optionally `snc_platform_rest_api_access`). Without this role, the MID Server cannot authenticate against the `/api/sn_kmf/v1/signature/validation_configuration` REST endpoint. The failure is **intermittent** because the KMF endpoint is only called under specific conditions — such as session refresh, token expiry, or when a specific Discovery or integration task triggers a KMF-authenticated call. Most routine MID Server operations succeed without hitting this endpoint, which explains why: - Other MID Servers with the same account appear healthy (they may trigger KMF calls less frequently). - The issue is not consistently reproducible. - Restarting the MID Server temporarily resolves it (the session is re-established before the next KMF call). **Additionally**, firewall or proxy rules that block access to the KMF endpoint URL from the MID Server host can produce the same symptom. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } **Step 1 — Assign the missing role to the MID Server service account:** 1. Navigate to **User Administration > Users** on your ServiceNow instance. 2. Open the user account associated with the affected MID Server (typically the `mid.instance.username` value in `agent/config.xml`). 3. In the **Roles** related list, add the following roles: - `sn_kmf_read` - `snc_platform_rest_api_access` (verify this is already present via the inherited `mid_server` role; add directly if not) 4. Save the record. **Step 2 — Verify network connectivity to the KMF endpoint:** From the MID Server host, confirm that the following URL is reachable: ``` https://<your-instance>.service-now.com/api/sn_kmf/v1/signature/validation_configuration ``` If firewalls or proxies exist between the MID Server and the instance, ensure this path is allowed. **Step 3 — Restart the MID Server** after completing the above steps and monitor for recurrence. --- ### Workaround ### If the `sn_kmf_read` role cannot be assigned immediately (pending security approval), restarting the MID Server will temporarily restore connectivity. This is **not a permanent fix** — the issue will recur the next time the KMF endpoint is invoked. --- ### Validation ### After applying the resolution: 1. Monitor the MID Server status in **MID Server > Servers** for at least 24–48 hours. 2. Confirm no new `User is not authenticated` errors appear in the MID Server log (`agent/logs/agent0.log.0`). 3. Verify that the outbound HTTP log on the instance no longer shows 401 failures to `/api/sn_kmf/v1/signature/validation_configuration`. ---