I copied the code directly from here:
Before and After Operations on Source Account Rule | SailPoint Developer Community
configured these variable correctly:
$logFile = "C:\SailPoint\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$command = "C:\SailPoint\Scripts\AfterCreate.ps1"
$enableDebug = $true
and I get this error: "Create operation is successful but post script execution failed : After script returned non zero exit code : 1 : "
I’ve tried the suggestions from this thread, Before Script returned non-zero exit code : 1 - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community , but no luck.
I’ve also tried commenting out this part:
#Call the client script
#$command = -join ($command, " -requestString '$requestAsString'")
#Invoke-Expression $command
and I still get the same error, which kind of suggests to me that there is something wrong with the rule itself.
Any suggestions on what to try next?
Thanks
Phil
jsosa
(Julian Sosa)
June 19, 2024, 10:34pm
2
Hi, I will remain here because I have a same error right now, I posted it yesterday, but without responses yet. In my case, exit code is 255.
Something I did that may be can help you. put only the following line in the “script” attribute (json-escaped):
dir > “E:\dir.txt”
This work for me, when I modify account it creates the directory correctly. With this test I could confirm that PS script send by connector is executing.
But when I call this line, it returns same error as yours, with 255 code:
“text” | Out-File “E:\log.txt” -Append
More weird, this line works if executed logged into server, at powershell console.
Perhaps wth the dir test you can realize if at least connector is running the script.
MVKR7T
(Krishna Mummadi)
June 19, 2024, 10:50pm
3
Hi @jsosa and @phil_awlings
There can be various reasons for this issue.
IQ Service account permission issues
Log file is in use by other execution which is not available to use for the current execution
Are you using your IQ service account to logged into the server ?
Thanks
Krish
1 Like
Hi,
1 - IQ service account is a member of domain admins, so permissions should not be a problem
2 - log file isn’t being written to by anything.
this log file (from the rule) isn’t getting written to, even when debug is enabled
$logFile = "C:\SailPoint\Scripts\Logs\ConnectorAfterCreate_$logDate.log
Nor is this one from the PS script:
$logFile = "c:\SailPoint\Scripts\Logs\AfterCreateScript_$logDate.log"
MVKR7T
(Krishna Mummadi)
June 20, 2024, 9:37am
5
Any possibility that IQ Service account doesnt have permissions to read/write log file.
I’ve logged into the server as the service account and using powershell:
Permission to create a directory:
Permission to write to a log file:
So its not a permissions issue for the service account
Running IQService interactively is usually very beneficial in finding out issues like this as it will show the actual exception message from the script execution. Stop the normal service, open up command prompt and navigate to your IQService install directory, and run:
IQService.exe -d -l 3
Now go ahead and run whatever you need in ISC to cause the script to fire and watch the output in cmd.
Same error message as what is in the UI:
06/20/2024 10:58:00 : AbstractConnector [ Thread-6 ] DEBUG : “Script return code : 1”
06/20/2024 10:58:00 : AbstractConnector [ Thread-6 ] DEBUG : “EXIT executeScript”
06/20/2024 10:58:00 : AbstractConnector [ Thread-6 ] DEBUG : "After script returned non zero exit code : 1 : "
06/20/2024 10:58:00 : AbstractConnector [ Thread-6 ] DEBUG : “EXIT executePostScript”
06/20/2024 10:58:00 : AbstractConnector [ Thread-6 ] WARN : "Create operation is successful but post script execution failed : After script returned non zero exit code : 1 : "
06/20/2024 10:58:00 : AbstractConnector [ Thread-6 ] DEBUG : “EXIT Provision”
06/20/2024 10:58:00 : RpcHandler [ Thread-6 ] INFO : "OutgoingResponse:
<?xml version="1.0" encoding="utf-8"?>
Create operation is successful but post script execution failed : After script returned non zero exit code : 1 :
From search:
Create operation is successful but post script execution failed : After script returned non zero exit code : 1 :
jesvin90
(Jesvin Joseph)
June 20, 2024, 1:22pm
9
Hi @phil_awlings ,
Let’s go back to the basics.
Have you created the After Modify rule as below and an after modify PowerShell script in your IQ service server.?
You need to unescape the JSON and add the rule script (the section under CDATA) to the “script” section.
r
{
"description": "Executes PowerShell commands on the IQService component after a source account is created.",
"type": "ConnectorAfterCreate",
"signature": {
"input": [],
"output": null
},
"sourceCode": {
"version": "1.0",
"script": "<?xml version='1.0' encoding='UTF-8'?>\r\n<!DOCTYPE Rule PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\r\n\t<Rule language=\"beanshell\" name=\"AD AfterCreate\" type=\"ConnectorAfterCreate\">\r\n\t\t<Attributes>\r\n\t\t\t<Map>\r\n\t\t\t\t<entry key=\"ObjectOrientedScript\" value=\"true\" />\r\n\t\t\t\t<entry key=\"disabled\" value=\"false\" />\r\n\t\t\t\t<entry key=\"extension\" value=\".ps1\" />\r\n\t\t\t\t<entry key=\"program\" value=\"powershell.exe\" />\r\n\t\t\t\t<entry key=\"timeout\" value=\"300\" />\r\n\t\t\t</Map>\r\n\t\t</Attributes>\r\n\t\t<Description>\r\n\t\t\tThis is an IQService afterScript - On a successful provisioning event, this after script should be used as the starting point for \r\n initiating a separate PowerShell script residing on the client's IQService server.\r\n\r\n Configuration tasks include:\r\n - Set a proper location for the $logFile variable\r\n - Set the proper script location and name for the $command variable\r\n - Set the $enableDebug flag to $true or $false to toggle debug mode\r\n\t\t</Description>\r\n\t\t<Source>\r\n<![CDATA[\r\n\r\n$logDate = Get-Date -UFormat \"%Y%m%d\"\r\n$logFile = \"C:\\SailPoint\\Scripts\\Logs\\ConnectorAfterCreate_$logDate.log\"\r\n$command = \"C:\\SailPoint\\Scripts\\AfterCreate.ps1\"\r\n$enableDebug = $true\r\n\r\n#====================-------Helper functions-------====================\r\nfunction LogToFile([String] $info) {\r\n $info | Out-File $logFile -Append\r\n}\r\n\r\n#====================-------Get the request object-------====================\r\nTry{\r\n if($enableDebug) {\r\n LogToFile(\"Entering SailPoint rule\")\r\n }\r\n\t\r\n Add-type -path C:\\SailPoint\\IQService\\Utils.dll;\r\n\t$sReader = New-Object System.IO.StringReader([System.String]$env:Request);\r\n\t$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));\r\n\t$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);\r\n $requestAsString = $env:Request\r\n\r\n if($enableDebug) {\r\n LogToFile(\"Request as XML object is: $requestAsString\")\r\n }\r\n\r\n #Call the client script\r\n $command = -join ($command, \" -requestString '$requestAsString'\")\r\n Invoke-Expression $command\r\n\r\n}Catch{\r\n\t$ErrorMessage = $_.Exception.Message \r\n \t$ErrorItem = $_.Exception.ItemName\r\n \tLogToFile(\"Error: Item = $ErrorItem -> Message = $ErrorMessage\")\r\n}\r\n\r\nif($enableDebug) {\r\n LogToFile(\"Exiting SailPoint rule\")\r\n}\r\n\r\n]]>\r\n\t\t</Source>\r\n\t</Rule>// source code"
},
"attributes": {
"ObjectOrientedScript": "true",
"extension": ".ps1",
"sourceVersion": "1.0",
"disabled": "false",
"program": "powershell.exe",
"timeout": "300"
},
"id": "c356cb5dc9d24aa9adce31dc0b052201",
"name": "AD AfterCreate",
"created": "2024-06-19T09:00:47.724Z",
"modified": "2024-06-20T10:54:56.486Z"
}
And on the source:
I took the template from here:
Before and After Operations on Source Account Rule | SailPoint Developer Community
And set these path names to match the server:
$logFile = "C:\SailPoint\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$command = "C:\SailPoint\Scripts\AfterCreate.ps1"
$enableDebug = $true
jesvin90
(Jesvin Joseph)
June 20, 2024, 1:36pm
11
Hi @phil_awlings ,
You need to use only the below part after unescaping the JSON.
$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "c:\SailPoint\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$command = "c:\SailPoint\Scripts\SampleSource-AfterCreate.ps1"
$enableDebug = $false
#====================-------Helper functions-------====================
function LogToFile([String] $info) {
$info | Out-File $logFile -Append
}
#====================-------Get the request object-------====================
Try{
if($enableDebug) {
LogToFile("Entering SailPoint rule")
}
Add-type -path utils.dll;
$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$requestAsString = $env:Request
if($enableDebug) {
LogToFile("Request as XML object is: $requestAsString")
}
#Call the client script
$command = -join ($command, " -requestString '$requestAsString'")
Invoke-Expression $command
}Catch{
$ErrorMessage = $_.Exception.Message
$ErrorItem = $_.Exception.ItemName
LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}
if($enableDebug) {
LogToFile("Exiting SailPoint rule")
}
@jesvin90 Don’t I feel silly now.
Thanks
jesvin90
(Jesvin Joseph)
June 20, 2024, 1:49pm
13
Hi @phil_awlings ,
Not at all. It is poorly documented
Glad to know it worked for you.
1 Like
system
(system)
Closed
August 19, 2024, 1:50pm
14
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.