Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/13/2023 04:58 PM - last edited on 02/29/2024 09:24 AM by Dave
Hi,
I am working on Provisioning a mailbox using the REST connector. I am not able to figure out what is causing the access denied error. The account I use to connect to the exchange server has all the local and exchange Admin privileges. Port 80 and 443 are open and I am able to telnet on both windows (saviyntagent) and exchange servers.
Below is my CreateAccountJSON:
{
"accountIdPath": "accountName",
"responseColsToPropsMap": {},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "http://xxxxx.xxxxx.com/SaviyntApp/PS/ExecutePSScript",
"httpMethod": "POST",
"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String 'xxxxx';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\\\\\\\\XXX_XXXXXX_svc',\\$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxx.xxxxx.com/PowerShell' -Credential \\$mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'xx'}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/x-www-form-urlencoded",
"SuccessResponses": {
"": [
"Success"
]
},
"unsuccessResponses": {
"responseMessage": [
"\"Failed\""
]
}
}
]
}
Error log: Attached
Solved! Go to Solution.
06/13/2023 09:41 PM
@umang28 ,
Error seems to be an service account access related issue. Are you able to enable mailbox by running these commands on standlone powershell on windows server.
06/14/2023 06:24 AM
Yes I am able to enable a mailbox if I run the script from powershell. This error occurs only when the script is triggered from the Saviynt REST connector.
06/19/2023 06:52 AM
Any help on this issue?
06/20/2023 10:39 AM - last edited on 02/29/2024 09:25 AM by Dave
Hi @umang28
Can you please run the below script directly from the Powershell where the IIS server has been configured and share the screenshot?
$sAMAccName = 'T-D3Q2';$pass = convertto-securestring -AsPlainText -Force -String 'xxxxx';$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\XXX_XXXXXX_svc',$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxxx.com/PowerShell' -Credential $mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity $Using:sAMAccName -Database 'xxx'}
06/20/2023 02:51 PM - last edited on 02/29/2024 09:25 AM by Dave
Hi @khalidakhter PFA screenshot. I was able to validate the mailbox creation in Exchange Admin Center.
06/20/2023 09:50 PM
Instead of running a PS script file, Can you please run the above PS command directly? Or, Please share the Saviynt.PS1 file as well.
06/21/2023 08:23 AM
PFA running the script directly. I think I can get passed the error if I add the following lines in the HTTP Params:
Get-ExecutionPolicy;
Set-ExecutionPolicy -ExecutionPolicy unrestricted -Scope CurrentUser;
This is how I added and got the following error
"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String 'xxxx';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'mtestnet\\\\\\\\xxxx',\\$pass;\\$executionpolicy = 'Unrestricted';Set-ExecutionPolicy -ExecutionPolicy \\$executionpolicy -Scope CurrentUser;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'http://xxxxx.com/PowerShell' -Credential \\$mycred -Authentication Kerberos -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'xxx'}\"}",
I guess I am not adding them correctly. Could you please let me know how these lines can be added?
Logs:
2023-06-21 14:57:02,344 [quartzScheduler_Worker-1] DEBUG rest.RestUtilService - Got showLogs = true
2023-06-21 14:57:02,345 [quartzScheduler_Worker-1] DEBUG rest.RestProvisioningService - Got Webservice API Response: [headers:[Cache-Control: private, Content-Type: application/json; charset=utf-8, Server: Null, X-AspNetMvc-Version: Null, X-AspNet-Version: Null, X-Powered-By: Null, Date: Wed, 21 Jun 2023 14:57:04 GMT, Content-Length: 2679], responseText:"Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName) System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. System.Exception: Failed error streamAccess to the registry key \u0027HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\u0027 is denied. To change the execution policy for the default (LocalMachine) scope, start Windows PowerShell with the \"Run as administrator\" option. To change the execution policy for the current user, run \"Set-ExecutionPolicy -Scope CurrentUser\".[xxx.mtestnet.com] Connecting to remote server xxx.mtestnet.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName)\r\n at MVC_FIM.Services.PowerShellService.fnExecuteScript(String ScriptName)", cookies:[], statusCode:500]
Even though the execution policy is all set to unrestricted, it still complains in the logs. So I guess we have to explicitly pass the execution policy to unrestricted in the JSON to work.
06/22/2023 10:31 AM
@khalidakhter Could you also please confirm while creating an application pool in IIS I only get an option to select DOTNET CLR Version v4.0.30319 from the drop down while in the documentation it mentions to select
Select the framework version as DOTNET Framework v4.0.30319.
Can this be any of a concern?
07/05/2023 02:10 AM
The DOTNET CLR Version v4.0.30319 is the correct option to choose while creating an application pool.
As you are getting a 500 status code, Can you please confirm if you are getting a successful 200 status code for executing Test-NetConnection localhost through Postman?
I will recommend creating a Saviynt Service Ticket where this issue can be looked into thoroughly.
08/23/2023 01:10 PM
@khalidakhter I was able to resolve the issue by setting the following on the windows server where the agent is deployed:
Thanks,