and more in a single search tool across platforms. Read the announcement here. |
01/18/2024 09:55 AM
Hello,
We are currently facing an issue while trying to provision mailboxes for users through the Saviynt Security Manager, utilizing the Windows PowerShell (Win PS) connector. Our setup includes a properly configured connection object, and we have the Saviynt APP along with IIS Server installed on a Windows machine.
We aim to execute a PowerShell script within the CREATEACCOUNTJSON or ENABLEACCOUNTJSON parameters to enable a remote mailbox. The script functions perfectly when executed directly in PowerShell on the server and even when invoked via a Postman call to the URL using JSON.
Powershell (success):
$username = 'service.userPlaceholder';
$password = '<password_placeholder>' | ConvertTo-SecureString -AsPlainText -Force;
$mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('domainPlaceholder.com\\service.userPlaceholder', $password);
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerPlaceholder.domainPlaceholder.com/PowerShell/ -Credential $mycred -Authentication kerberos;
Import-PSSession $Session -AllowClobber;
$systemUserName = 'userPlaceholder';
Enable-RemoteMailbox -Identity $systemUserName -RemoteRoutingAddress '${systemUserName}@domainPlaceholder.mail.onmicrosoft.com' -PrimarySmtpAddress '${systemUserName}@domainPlaceholder.com'
Postman (success):
However, when we incorporate the same script in Saviynt (ensuring adherence to the syntax outlined in the connector guide and confirming the absence of syntax parsing errors), we encounter a peculiar issue. The task within Saviynt's CREATEACCOUNTJSON or ENABLEACCOUNTJSON completes successfully, but the mailbox does not get provisioned in the backend. It appears as though the PowerShell script part is not being executed, yet no specific errors are recorded in the logs.
Saviynt (failed with error, but task gets processed):
{
"ENABLEACC": [
"Script=\$username = 'service.userPlaceholder'; \$password = '<password_placeholder>' | ConvertTo-SecureString -AsPlainText -Force; \$mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('domainPlaceholder.com\\service.userPlaceholder', \$password); \$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerPlaceholder.domainPlaceholder.com/PowerShell/ -Credential \$mycred -Authentication kerberos; Import-PSSession \$Session -AllowClobber; \$systemUserName = 'userPlaceholder'; \$enabledMailboxDetails=Enable-RemoteMailbox -Identity \$systemUserName -RemoteRoutingAddress '\${systemUserName}@domainPlaceholder.mail.onmicrosoft.com' -PrimarySmtpAddress '\${systemUserName}@domainPlaceholder.com' -Confirm:\$false; if (\$enabledMailboxDetails) {Write-Host 'Mailbox enabled for the user'} else {Write-Error 'An error occured'}"
],
"SuccessResponses": "Success"
}
Additionally, we have attempted to capture errors within the script (with the 'if' and 'else' statement, but the log does not yield any relevant information. We also noticed that debugEnabled is set to false, but we are unsure how to toggle this setting for more verbose logging. The logs on the IIS server indicate that the URL is being hit, but do not provide further detail.
We would greatly appreciate any insights or suggestions regarding the following:
Thank you in advance for your support and suggestions. Looking forward to resolving this with your expert insights.
Solved! Go to Solution.
01/18/2024 07:18 PM
Check some related posts
https://forums.saviynt.com/t5/identity-governance/rest-exchange-ps-1-script-not-triggered/m-p/36965
01/29/2024 01:26 AM
@kelp984 we are also facing similar issue, did you find any solution ?
01/29/2024 11:53 AM
We ended up moving to the REST conenctor, using the same code (posted here) that worked in Postman. With the syntax as in this post: CreateAccountJSON - REST Connector for Enabling re... - Saviynt Forums - 54835. But currently we have the same issue as they had, hardcoded values work, but we don't know how to call the saviynt variables. Let us know if you figure it out!
Connection JSON:
{
"authentications": {
"acctAuth": {
"authType": "Basic",
"url": "<URL>",
"httpMethod": "POST",
"httpParams": {},
"httpHeaders": {},
"httpContentType": "text/html",
"properties": {
"userName": "<<USERNAME>>/token",
"password": "<<PASSWORD>>"
},
"expiryError": "ExpiredAuthenticationToken",
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed"
],
"timeOutError": "Read timed out",
"PS_Password": "<password>", ==> Only thing to pass in the connectionJSON is the password so that the password is encrypted
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Basic",
"accessToken": "Basic <<TOKEN>>",
"apiRateLimitConfig": {
"retryAfterCalls": 100,
"retryWaitSeconds": 60
}
}
}
}
Createaccount JSON:
{
"accountIdPath": "accountName",
"responseColsToPropsMap": {},
"call": [{
"name": "call1",
"connection": "acctAuth",
"url": https://<hostname>/PS/ExecutePSScript,
"httpMethod": "POST",
"httpParams": "{\"Script\":\"$username = '<serviceAccount>'; $password = '<password>' | ConvertTo-SecureString -AsPlainText -Force; $mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('<domain>.com\\\\<serviceAccount>', $password); $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://exchangeServerPlaceholder.domainPlaceholder.com/PowerShell/' -Credential $mycred -Authentication kerberos; Import-PSSession $Session -AllowClobber; $systemUserName = '<ADsystemUserName >'; Enable-RemoteMailbox -Identity $systemUserName -RemoteRoutingAddress \\\"$systemUserName@<domain>.mail.onmicrosoft.com\\\" -PrimarySmtpAddress \\\"$systemUserName@<domain>.com\\\"\"}",
"httpHeaders": {
"Authorization": "Basic ________________"
},
"httpContentType": "application/x-www-form-urlencoded",
"SuccessResponses": {
"": [
"Success"
]
},
"unsuccessResponses": {
"responseMessage": [
"\"Failed\"",
"\"Powershell script taking too long Sample input: Invoke-Command -ComputerName \\\"<computer name>\\\" -ScriptBlock {command to execute} -Credential $Cred\""
]
}
}]
}
01/29/2024 12:11 PM
${user.systemusername}
01/29/2024 03:21 PM
without the quotation marks? ''
01/29/2024 03:32 PM
Yes
01/30/2024 12:07 PM
We ended up finding the solution. Refer to the solution here: Re: Integrating Saviynt Variables with REST Connec... - Saviynt Forums - 72692