Hello,
We are currently facing an issue while trying to provision mailboxes for users through the Saviynt Security Manager, utilizing the Windows PowerShell (Win PS) connector. Our setup includes a properly configured connection object, and we have the Saviynt APP along with IIS Server installed on a Windows machine.
We aim to execute a PowerShell script within the CREATEACCOUNTJSON or ENABLEACCOUNTJSON parameters to enable a remote mailbox. The script functions perfectly when executed directly in PowerShell on the server and even when invoked via a Postman call to the URL using JSON.
Powershell (success):
$username = 'service.userPlaceholder';
$password = '<password_placeholder>' | ConvertTo-SecureString -AsPlainText -Force;
$mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('domainPlaceholder.com\\service.userPlaceholder', $password);
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerPlaceholder.domainPlaceholder.com/PowerShell/ -Credential $mycred -Authentication kerberos;
Import-PSSession $Session -AllowClobber;
$systemUserName = 'userPlaceholder';
Enable-RemoteMailbox -Identity $systemUserName -RemoteRoutingAddress '${systemUserName}@domainPlaceholder.mail.onmicrosoft.com' -PrimarySmtpAddress '${systemUserName}@domainPlaceholder.com'
Postman (success):
However, when we incorporate the same script in Saviynt (ensuring adherence to the syntax outlined in the connector guide and confirming the absence of syntax parsing errors), we encounter a peculiar issue. The task within Saviynt's CREATEACCOUNTJSON or ENABLEACCOUNTJSON completes successfully, but the mailbox does not get provisioned in the backend. It appears as though the PowerShell script part is not being executed, yet no specific errors are recorded in the logs.
Saviynt (failed with error, but task gets processed):
{
"ENABLEACC": [
"Script=\$username = 'service.userPlaceholder'; \$password = '<password_placeholder>' | ConvertTo-SecureString -AsPlainText -Force; \$mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('domainPlaceholder.com\\service.userPlaceholder', \$password); \$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerPlaceholder.domainPlaceholder.com/PowerShell/ -Credential \$mycred -Authentication kerberos; Import-PSSession \$Session -AllowClobber; \$systemUserName = 'userPlaceholder'; \$enabledMailboxDetails=Enable-RemoteMailbox -Identity \$systemUserName -RemoteRoutingAddress '\${systemUserName}@domainPlaceholder.mail.onmicrosoft.com' -PrimarySmtpAddress '\${systemUserName}@domainPlaceholder.com' -Confirm:\$false; if (\$enabledMailboxDetails) {Write-Host 'Mailbox enabled for the user'} else {Write-Error 'An error occured'}"
],
"SuccessResponses": "Success"
}
Additionally, we have attempted to capture errors within the script (with the 'if' and 'else' statement, but the log does not yield any relevant information. We also noticed that debugEnabled is set to false, but we are unsure how to toggle this setting for more verbose logging. The logs on the IIS server indicate that the URL is being hit, but do not provide further detail.
We would greatly appreciate any insights or suggestions regarding the following:
- Script Execution: Steps to ensure that the PowerShell script within CREATEACCOUNTJSON or ENABLEACCOUNTJSON is executed as intended.
- Debugging: Methods to enable or access more detailed logging (specifically how to toggle debugenabled to true) to gain better visibility into the process and potential points of failure.
- Server Logs: Guidance on interpreting IIS server logs related to this issue or any additional logging that may help diagnose the problem.
Thank you in advance for your support and suggestions. Looking forward to resolving this with your expert insights.
