and more in a single search tool across platforms. Read the announcement here. |
04/04/2023 08:54 AM
Hi all,
We’re configuring the Win-PS connector in Saviynt to provision mailboxes to Exchange Hybrid via PowerShell. Provisioning is successful in our lower environment, but in production we’re running into errors. Specifically, we have a pending task to provision a mailbox for a user with an Active Directory account. When we run the Win-PS provisioning job, the task fails, and we only see one HTTP 500 error in the logs. On the Win-PS server, we see the same HTTP 500 error in the IIS logs. Otherwise, we don’t get any errors under Windows Remote Management in Event Viewer.
We aren’t sure what’s going wrong, especially since this works in our lower environment. We’ve verified locally with Postman that POST calls execute successfully. Connectivity is also green between SC2.0 and the Win-PS server. Permissions mirror our permissions in our lower environment, as do IIS settings and bindings.
Some things we’ve tried include:
Any ideas of where to look for problems or alternative configurations are appreciated.
This s our create account script:
{"CREATEACC":["Script=\$pass = convertto-securestring '${PSSCRIPT_PASSWORD}' -asplaintext -force; \$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist '<DOMAIN>\\\\<account>', \$pass; \$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<Exchange-hostname>.local/PowerShell -Credential \$mycred -Authentication kerberos; \$ses=Import-PSSession \$Session -DisableNameChecking -AllowClobber; Set-ADServerSettings -ViewEntireForest \$true; \$userPrincipalName = Get-ADUser -Filter \"<attribute> -eq '${user.username}'\" | Select-Object -ExpandProperty userPrincipalName; Enable-RemoteMailbox -Identity \$userPrincipalName -RemoteRoutingAddress '${user.firstname.toLowerCase()}.${user.lastname.toLowerCase()}@<domain>'; Set-RemoteMailbox -Identity \$userPrincipalName -EmailAddressPolicyEnabled \$False -PrimarySmtpAddress '${user.firstname.toLowerCase()}.${user.lastname.toLowerCase()}${if(user.departmentNumber.startsWith('<letters>')){'@<letters>.<domain>'}else if(user.departmentNumber.startsWith('<letters>')){'@<letters>.<domain>'}else if(user.departmentNumber.startsWith('<letters>')){'@<letters>.<domain>'}else if(user.departmentNumber.startsWith('<letters>')){'@<letters>.<domain>'}else if(user.departmentNumber.startsWith('<letters>')){'@<letters>.<domain>'}else if(user.departmentNumber.startsWith('<letters>')){'@<letters>.<domain>'}else{'@letters.domain'}}'"],"SuccessResponses":"TRUE"}
Solved! Go to Solution.
04/07/2023 12:44 PM
Hi
Can you confirm the below
1. Are you using the same IIS / Win-PS Server for Non-PRD and PRD?
2. If it is separate server, can you confirm if the on the Win-PS Server if IIS is working properly by trying to browse to the IIS Landing page using the Browser by typing http://localhost or http://<ipaddress>
04/11/2023 06:21 AM
1. We aren't using the same server.
2. I can navigate to that address
We did figure out the problem, I'll add reply explaining the issue.
04/11/2023 06:24 AM
We figured out the issue: we were creating a mailbox with the same proxy mailbox address as an existing, disabled account. Saviynt doesn't ingest or display any logs from PowerShell. We went into the debug logs, found the command Saviynt was trying to run, and then tried running it manually ourselves from the server. The resulting error identified the problem. If this is truly to be a "Windows PowerShell" connector, I'd expect some feedback beyond the HTTP 500 from IIS. If we run into provisioning errors in the future, we will also have to repeat this process to identify the problem.