Microsoft Active Directory authentication
It's not feasible to manually maintain a large set of users in any enterprise level application. This is why every organization maintains a master source of all users on a server. So, Service-Now should be integrated with the master source to import users for user's access.
Getting ready
In many organizations, the Microsoft Active Directory server is used as the master source of employee or user records. Users are allowed to log into the assigned laptop or desktop using active directory's or Windows username and password. Service-Now provides an inbuilt Lightweight Dictionary Access Protocol (LDAP) server to integrate with Microsoft Active Directory to import all users' records. To step through this recipe, all you need is an active Service-Now instance and valid credentials and an admin role.
How to do it...
- Open a standard web browser and type the web address (
http://{instance_address}.service-now.com) of the ServiceNow instance which is provided by the organization. - Now, for instance, if Service-Now is integrated with Microsoft Azure, then you will see the following login page:
Microsoft Azure page for Service-Now login
- Now, on the login page, enter active directory's username and password to log in. Please note, active directory's username and password are commonly referred to as windows credentials, as by this, you are allowed to log in on your organization's machine.
- On successful authentication, Service-Now, will allow you to log in to move further but if the username and password are not matched, then Service-Now will show an error message.
- Sometimes, you may observe that some fields in a user's records are not being imported in the Service-Now user table (
sys_user) properly so, in such cases, you may ask for access to Microsoft active directory where you can validate whether data is available in active directory or not. Refer to the following screenshot to see what the user record looks like in active directory:
User details in active directory server
How it works...
When the user enters the network domain credentials (username and password) on the login page, the Service-Now instance passes it to the LDAP server and the LDAP server responds with an authorized or unauthorized message which Service-Now determines whether to grant access or not. It is important to note that Service-Now can allow new users to login to an instance even if the user does not have an account. When the new user tries to login in to Service-Now, it automatically issues a query to the LDAP server and if the user record is found, the integration tries to authenticate it with the password. If the password is valid, Service-Now creates an account for the user.
There's more...
There are mainly two types of accounts – the network domain level account (authorized by the LDAP server – active directory integration) and the manual account (which is directly created in the Service-Now user table). So, for instance, if your customer's active directory server is not available or is down, then Service-Now will not allow any user to login on the instance because the LDAP query authentication fails. However, if as an admin, you want to access Service-Now, then you can access it via the manual account which is not authenticated by LDAP server. It is important to note that as an admin, you should have a non-AD or manual account for critical situations.
