Authentication failures in logs: [1] 24408 User authentication against Active Directory [2] 2056 – Subject not found in the applicable identity store(s)Issue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Authentication failure in logs :[1] 24408 User authentication against Active Directory failed since user has entered the wrong password.[2] 22056 – Subject not found in the applicable identity store(s) Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } all Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Password mismatch between the Servicenow_Discovery AD service account and the credential stored in ServiceNow is causing Discovery to repeatedly authenticate against network devices with an incorrect credential, generating mass failures via Cisco ISE. Error 24408 confirms AD is rejecting the password, and error 22056 indicates a separate set of GNB-prefixed accounts cannot be located in any identity store searched by ISE. Error 24408 This is an External-Active-Directory error meaning the user authentication against AD failed due to a wrong password. Cisco's resolution guidance is to check the user password credentials, and if the RADIUS request is using PAP for authentication, also verify the shared secret configured for the network device. StudyLib Reference: https://community.cisco.com/t5/network-access-control/cisco-ise-failure-24408-user-authentication-against-active/td-p/2225434 Error 22056 This error appears any time an authentication fails because the user is unknown to Cisco ISE. The subject could be a user who has not been provisioned in the network, or it is possible the administrator did not configure the user ID in ISE. Resolution is to check the local and external identity sources to verify whether the user ID exists, and if it does, ensure that both Cisco ISE and the associated access switch are configured to accept that user. (https://archive.org/stream/manualzilla-id-6862650/6862650_djvu.txt) Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html It is worth noting that both of these are Cisco ISE error codes — your client's network/security team who manage ISE are the right people to investigate these, Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Client's AD team to identify and correct the password change via Event ID 4723/4724, and update the credential in ServiceNow under Discovery > Credentials once confirmed. All Discovery schedules to be paused before any AD remediation is actioned to prevent immediate re-lockout. If the credential is used by other ServiceNow processes, a new dedicated credential should be created to isolate Discovery. Awaiting client confirmation of instance and scope of impact. Event ID 4723 — User changed their own password Event ID 4723 tracks user-initiated password changes. When you locate it in the Security log, the Subject field shows who changed the password and the Target Account field shows whose password was changed. Lepide Official Microsoft reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4723 Event ID 4724 — Administrator reset someone else's password Event ID 4724 fires whenever an administrator resets another user's password through Active Directory Users and Computers, PowerShell cmdlets, or local user management tools. It captures the administrator's identity, the target user account, timestamp, and the workstation from which the reset was initiated. Anavem Official Microsoft reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4724 One important caveat worth flagging — audit account management must be enabled in Group Policy before password change events will be logged. By default the Security event log retains events until it reaches its maximum size, then overwrites the oldest events. So if auditing isn't enabled or the logs have rolled over, the AD team may not be able to retrieve this information — this is worth noting so you are not surprised if it comes back empty.