Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Mailbox provisioning - Access denied error

umang28
Regular Contributor
Regular Contributor

Hi, 

I am working on Provisioning a mailbox using the REST connector. I am not able to figure out what is causing the access denied error. The account I use to connect to the exchange server has all the local and exchange Admin privileges. Port 80 and 443 are open and I am able to telnet on both windows (saviyntagent) and exchange servers.

Below is my CreateAccountJSON:

{
"accountIdPath": "accountName",
"responseColsToPropsMap": {},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "http://xxxxx.xxxxx.com/SaviyntApp/PS/ExecutePSScript",
"httpMethod": "POST",
"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String 'xxxxx';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\\\\\\\\XXX_XXXXXX_svc',\\$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxx.xxxxx.com/PowerShell' -Credential \\$mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'xx'}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/x-www-form-urlencoded",
"SuccessResponses": {
"": [
"Success"
]
},
"unsuccessResponses": {
"responseMessage": [
"\"Failed\""
]
}
}
]
}

 

Error log: Attached

10 REPLIES 10

smitg
Regular Contributor III
Regular Contributor III

@umang28 ,

Error seems to be an service account access related issue. Are you able to enable mailbox by running these commands on standlone powershell on windows server.

umang28
Regular Contributor
Regular Contributor

@smitg 

Yes I am able to enable a mailbox if I run the script from powershell. This error occurs only when the script is triggered from the Saviynt REST connector. 

umang28
Regular Contributor
Regular Contributor

Any help on this issue? 

khalidakhter
Saviynt Employee
Saviynt Employee

Hi @umang28 

Can you please run the below script directly from the Powershell where the IIS server has been configured and share the screenshot?

 

$sAMAccName = 'T-D3Q2';$pass = convertto-securestring -AsPlainText -Force -String 'xxxxx';$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\XXX_XXXXXX_svc',$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxxx.com/PowerShell' -Credential $mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity $Using:sAMAccName -Database 'xxx'}

 

umang28
Regular Contributor
Regular Contributor

Hi @khalidakhter PFA screenshot. I was able to validate the mailbox creation in Exchange Admin Center. 

khalidakhter
Saviynt Employee
Saviynt Employee

@umang28 

Instead of running a PS script file, Can you please run the above PS command directly? Or, Please share the Saviynt.PS1 file as well. 

umang28
Regular Contributor
Regular Contributor

PFA running the script directly. I think I can get passed the error if I add the following lines in the HTTP Params:

Get-ExecutionPolicy;

Set-ExecutionPolicy -ExecutionPolicy unrestricted -Scope CurrentUser;

This is how I added and got the following error

"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String 'xxxx';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\\\\\\\\xxxx',\\$pass;\\$executionpolicy = 'Unrestricted';Set-ExecutionPolicy -ExecutionPolicy \\$executionpolicy -Scope CurrentUser;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxxx.com/PowerShell' -Credential \\$mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'xxx'}\"}",

 

I guess I am not adding them correctly. Could you please let me know how these lines can be added?

Logs:

2023-06-21 14:57:02,344 [quartzScheduler_Worker-1] DEBUG rest.RestUtilService - Got showLogs = true
2023-06-21 14:57:02,345 [quartzScheduler_Worker-1] DEBUG rest.RestProvisioningService - Got Webservice API Response: [headers:[Cache-Control: private, Content-Type: application/json; charset=utf-8, Server: Null, X-AspNetMvc-Version: Null, X-AspNet-Version: Null, X-Powered-By: Null, Date: Wed, 21 Jun 2023 14:57:04 GMT, Content-Length: 2679], responseText:"Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName) System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName)\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName)", cookies:[], statusCode:500]

Even though the execution policy is all set to unrestricted, it still complains in the logs. So I guess we have to explicitly pass the execution policy to unrestricted in the JSON to work. 

 

 

 

umang28
Regular Contributor
Regular Contributor

@khalidakhter  Could you also please confirm while creating an application pool in IIS I only get an option to select DOTNET CLR Version v4.0.30319 from the drop down while in the documentation it mentions to select 

  1. Select the framework version as DOTNET Framework v4.0.30319.

Can this be any of a concern? 

 

khalidakhter
Saviynt Employee
Saviynt Employee

@umang28 

The DOTNET CLR Version v4.0.30319 is the correct option to choose while creating an application pool.
As you are getting a 500 status code, Can you please confirm if you are getting a successful 200 status code for executing Test-NetConnection localhost through Postman?

I will recommend creating a Saviynt Service Ticket where this issue can be looked into thoroughly.

umang28
Regular Contributor
Regular Contributor

@khalidakhter I was able to resolve the issue by setting the following on the windows server where the agent is deployed:

  • Advanced setting of the application pool: Set 'Load User Profile' to 'True'
  • Advanced setting of the application pool: Set the identity to the service account rather than the default app pool user 
  • Set-ExecutionPolicy RemoteSigned

Thanks,