PARTNERS - Please join us for our upcoming webinar:
Leveraging Intelligent Recommendations for Operational Transformation.
AMS Partners Click HERE | EMEA/APJ Click HERE
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mailbox provisioning - Access denied error

Go to solution
umang28
Regular Contributor
Regular Contributor

‎06/13/2023 04:58 PM - last edited on ‎02/29/2024 09:24 AM by Community Manager

Hi, 

I am working on Provisioning a mailbox using the REST connector. I am not able to figure out what is causing the access denied error. The account I use to connect to the exchange server has all the local and exchange Admin privileges. Port 80 and 443 are open and I am able to telnet on both windows (saviyntagent) and exchange servers.

Below is my CreateAccountJSON:

{
"accountIdPath": "accountName",
"responseColsToPropsMap": {},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "http://xxxxx.xxxxx.com/SaviyntApp/PS/ExecutePSScript",
"httpMethod": "POST",
"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String 'xxxxx';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\\\\\\\\XXX_XXXXXX_svc',\\$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxx.xxxxx.com/PowerShell' -Credential \\$mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'xx'}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/x-www-form-urlencoded",
"SuccessResponses": {
"": [
"Success"
]
},
"unsuccessResponses": {
"responseMessage": [
"\"Failed\""
]
}
}
]
}

 

Error log: Attached

0 Kudos
10 REPLIES 10

Go to solution
smitg
Regular Contributor III
Regular Contributor III

‎06/13/2023 09:41 PM

@umang28 ,

Error seems to be an service account access related issue. Are you able to enable mailbox by running these commands on standlone powershell on windows server.

0 Kudos

Go to solution
umang28
Regular Contributor
Regular Contributor

‎06/14/2023 06:24 AM

@smitg 

Yes I am able to enable a mailbox if I run the script from powershell. This error occurs only when the script is triggered from the Saviynt REST connector. 

0 Kudos

Go to solution
umang28
Regular Contributor
Regular Contributor

‎06/19/2023 06:52 AM

Any help on this issue? 

0 Kudos

Go to solution
khalidakhter
Saviynt Employee
Saviynt Employee

‎06/20/2023 10:39 AM - last edited on ‎02/29/2024 09:25 AM by Community Manager

Hi @umang28 

Can you please run the below script directly from the Powershell where the IIS server has been configured and share the screenshot?

 

$sAMAccName = 'T-D3Q2';$pass = convertto-securestring -AsPlainText -Force -String 'xxxxx';$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\XXX_XXXXXX_svc',$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxxx.com/PowerShell' -Credential $mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity $Using:sAMAccName -Database 'xxx'}

 

0 Kudos

Go to solution
umang28
Regular Contributor
Regular Contributor

‎06/20/2023 02:51 PM - last edited on ‎02/29/2024 09:25 AM by Community Manager

Hi @khalidakhter PFA screenshot. I was able to validate the mailbox creation in Exchange Admin Center. 

0 Kudos

Go to solution
khalidakhter
Saviynt Employee
Saviynt Employee

‎06/20/2023 09:50 PM

@umang28 

Instead of running a PS script file, Can you please run the above PS command directly? Or, Please share the Saviynt.PS1 file as well. 

0 Kudos

Go to solution
umang28
Regular Contributor
Regular Contributor

‎06/21/2023 08:23 AM

PFA running the script directly. I think I can get passed the error if I add the following lines in the HTTP Params:

Get-ExecutionPolicy;

Set-ExecutionPolicy -ExecutionPolicy unrestricted -Scope CurrentUser;

This is how I added and got the following error

"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String 'xxxx';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\\\\\\\\xxxx',\\$pass;\\$executionpolicy = 'Unrestricted';Set-ExecutionPolicy -ExecutionPolicy \\$executionpolicy -Scope CurrentUser;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxxx.com/PowerShell' -Credential \\$mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'xxx'}\"}",

 

I guess I am not adding them correctly. Could you please let me know how these lines can be added?

Logs:

2023-06-21 14:57:02,344 [quartzScheduler_Worker-1] DEBUG rest.RestUtilService - Got showLogs = true
2023-06-21 14:57:02,345 [quartzScheduler_Worker-1] DEBUG rest.RestProvisioningService - Got Webservice API Response: [headers:[Cache-Control: private, Content-Type: application/json; charset=utf-8, Server: Null, X-AspNetMvc-Version: Null, X-AspNet-Version: Null, X-Powered-By: Null, Date: Wed, 21 Jun 2023 14:57:04 GMT, Content-Length: 2679], responseText:"Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName) System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName)\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName)", cookies:[], statusCode:500]

Even though the execution policy is all set to unrestricted, it still complains in the logs. So I guess we have to explicitly pass the execution policy to unrestricted in the JSON to work. 

 

 

 

Preview file
6 KB
Preview file
12 KB
Preview file
89 KB

Go to solution
umang28
Regular Contributor
Regular Contributor

‎06/22/2023 10:31 AM

@khalidakhter  Could you also please confirm while creating an application pool in IIS I only get an option to select DOTNET CLR Version v4.0.30319 from the drop down while in the documentation it mentions to select 

  1. Select the framework version as DOTNET Framework v4.0.30319.

Can this be any of a concern? 

 

0 Kudos

Go to solution
khalidakhter
Saviynt Employee
Saviynt Employee

‎07/05/2023 02:10 AM

@umang28 

The DOTNET CLR Version v4.0.30319 is the correct option to choose while creating an application pool.
As you are getting a 500 status code, Can you please confirm if you are getting a successful 200 status code for executing Test-NetConnection localhost through Postman?

I will recommend creating a Saviynt Service Ticket where this issue can be looked into thoroughly.

0 Kudos

Go to solution
umang28
Regular Contributor
Regular Contributor

‎08/23/2023 01:10 PM

@khalidakhter I was able to resolve the issue by setting the following on the windows server where the agent is deployed:

  • Advanced setting of the application pool: Set 'Load User Profile' to 'True'
  • Advanced setting of the application pool: Set the identity to the service account rather than the default app pool user 
  • Set-ExecutionPolicy RemoteSigned

Thanks,

 

1 person found this solution to be helpful.
Copyright © 2024 Khoros, LLC