Interpreting MID Server user debugging output

Release version: Xanadu

Updated August 1, 2024

4 minutes to read

Summarize

Summarized using AI

Summary of Interpreting MID Server user debugging output

This documentation explains how to enable and interpret MID Server user debugging output in ServiceNow. Debugging output helps diagnose connectivity and authentication issues related to MID Server users by providing either summary or detailed views. Enabling this output requires manually running a method on your instance. This feature is essential for troubleshooting MID Server user-related problems and understanding how errors are logged in theMID Server Issue [eccagentissue]table.

Show full answer Show less

Available Output Formats

Summary Output: Offers a high-level count of issues without naming specific MID Servers or users, useful for quick assessment.
Detailed Output: Provides specific information about users, their roles, associated MID Servers, and login activity, which helps in pinpointing root causes.

Common Debugging Messages and Their Meanings

Authentication Failures

Occurs when MID Server users cannot authenticate. Detailed logs specify user names, associated MID Servers (including those marked Down), and authentication failure messages. Common causes include incorrect passwords or misconfigured user accounts.

MID Server ID Map

This section lists all MID Servers marked as Down and maps them to user accounts having the midserver role, regardless of association. The map is divided into users not associated with any MID Server, users linked to Down MID Servers by sysid, and the Down MID Servers themselves.

Authorization Failures

Generated when users lack required roles despite having the midserver role. Error messages identify affected users and their associated MID Servers. The missing roles can be identified in the Parm2 field of the login.authorization.failed event record in the Event [sysevent] table.

Network Issues

Indicated when users associated or not associated with MID Servers have no login attempts within the configured reporting period (default is 4 hours). This suggests possible network connectivity problems preventing login attempts. The sampling period can be adjusted to align with the MID Server heartbeat interval (minimum 5 minutes) for more granular debugging.

Configuration Issues

Detected when users with the midserver role are not associated with any MID Server, or when users successfully log in but are not configured for any MID Server. Such cases may indicate role assignment errors or misconfiguration, as the midserver role should be reserved strictly for MID Server use.

Practical Implications for ServiceNow Customers

Enable MID Server user debugging output to gain visibility into authentication, authorization, network, and configuration issues affecting MID Server connectivity.
Use the summary output for a quick overview of issues by count, and switch to detailed output when specific user or MID Server information is needed for troubleshooting.
Review the detailed error messages to identify incorrect passwords, missing roles, or misconfigured user accounts and take corrective actions accordingly.
Adjust the login sampling period during remediation to capture timely login attempts and better understand network-related problems.
Regularly verify MID Server user-role assignments to prevent configuration errors that could impact MID Server operations.

Debugging output from the system log is available in either a summary or detailed view for MID Server user issues, but must be enabled manually.

To enable debugging and display all connectivity issues in either of the available formats, you must run a method manually on your instance. For instructions on enabling debugging, see Test remediation efforts for MID Server user connectivity issues. For information about each error condition and how records are created in the MID Server Issue [ecc_agent_issue] table, see MID Server user connectivity issues.

Available formats

You can configure the instance to generate a simple summary of the issue or a detailed output that identifies users and MID Servers. Summaries provide a quick look at the issue conditions, by count, while the detailed view allows you to examine roles, MID Server associations, and login activity by named users.

In this summary example of an authorization issue, the instance evaluates each condition and indicates how many users met that condition. You can see that a MID Server is down and that one of two users configured for a MID Server failed authorization. Because this is a summary, neither the MID Server nor the users are named.

Authentication failure

When a MID Server user cannot authenticate on the instance, the system displays these error messages in the detailed output:

In this example, three users with the mid_server role, midserver2, local-midserver, and ardis.maison, failed to authenticate. Two of these users were configured for MID Servers that were Down, and the other user was not configured for any MID Servers. Each of these users has an authentication failure and is named in the appropriate error message.

Figure 2. Detailed debugging log for authentication failure

MID Server ID map

The debugging output lists all MID Servers that are marked as Down and maps them to their user accounts by the MID Server sys_id. This map includes all user accounts that have the mid_server role, whether or not they are associated with a MID Server. If there are no Down MID Servers, the map is not displayed in the debugging output.

The map is presented in three sections:

User accounts not associated with any MID Servers.
User accounts associated with Down MID Servers, identified by their sys_id.
The sys_id of each Down MID Server, identified by name.

Authorization failure

If a user is missing any of the required roles, the instance generates these authorization failure messages:

Login authorization failure for User <user name> associated with 1 down MID Server. Re-assign mid_server role to grant all required roles.
Login authorization failure for User <user name> associated with <n> down MID Servers. Re-assign mid_server role to grant all required roles.
Login authorization failure for User <user name> with mid_server role not associated with a MID Server.

In this example, three users with the mid_server role, midserver2, local-midserver, and ardis.maison have failed authorization. One user is not associated with any MID Server, but the other two users are. The system has logged an authorization failure, indicating that the user is missing at least one critical role. To see what roles are missing, look at the comma separated list in the Parm2 field in the login.authorization.failed event record. This record is the most recent login attempt in the Event [sysevent] table for the user account within the reporting period.

Figure 4. Detailed debugging log for authorization failure

Network issues

Network issues may exist for these users who are associated with MID Servers, but who have not attempted to log in during the reporting period:

User <user name> is associated with 1 down MID Server. No login attempts within reporting period.
User <user name> is associated with <n> down MID Servers. No login attempts within reporting period.

Network issues may also exist for these users who are NOT associated with MID Servers, and who have not attempted to log in during the reporting period: User <user name> with mid_server role is not associated with a MID Server. No login attempts within reporting period.

In this example, no login attempts have been detected for midserver2, local-midserver, and ardis.maison, all of whom have the mid_server role. Two of those users are associated with MID Servers that are marked Down. The other user is not associated with any MID Server. None of these users has attempted to log in to the system within the configured reporting interval. The system assumes that these users would make an attempt to log in unless network issues prevented them from doing so.

Note:

By default, the sampling period is 4 hours. However, during debugging or remediation, the sampling period can be reset to a value that matches the MID Server heartbeat interval of 5 minutes, or greater.

Configuration issues

Any of the following messages can indicate a user configuration issue:

Login authentication failure for User <user name> with mid_server role not associated with a MID Server.
Login authorization failure for User <user name> with mid_server role not associated with a MID Server.
User <user name> with mid_server role successfully connected but not associated with a MID Server. The mid-server role should be reserved for MID Server use only.
User <user name> with mid_server role is not associated with a MID Server. No login attempts within reporting period.

In this example, a user with the mid_server role has logged in successfully within the configured sampling interval. However, this user is not configured for a MID Server and might have the role in error.

Figure 6. Detailed debugging log for MID Server user account login