Before Script returned non-zero exit code : 1

Hello,

We are getting this error exception for connector rule and can’t find reference to it in the documentation or forums. The rule supposed to call a fairly straightforward powershell script but doesn’t look like it is making its way through the IQService. Error, rule, ps script, and log are included below. Any assistance would be greatly appreciated.

Thank you.

Error:

{"exception":{"stacktrace":"sailpoint.tools.GeneralException: Errors returned from IQService. Before Script returned non-zero exit code : 1 : \n\tat sailpoint.connector.RPCService.checkForErrors(RPCService.java:967)\n\tat sailpoint.connector.RPCService.parseResponse(RPCService.java:798)\n\tat sailpoint.connector.RPCService.execute(RPCService.java:531)\n\tat sailpoint.connector.AzureADConnector.callIQService(AzureADConnector.java:10288)\n\tat sailpoint.connector.AzureADConnector.provision(AzureADConnector.java:5986)\n\tat sailpoint.connector.ConnectorProxy.provision(ConnectorProxy.java:1116)\n\tat com.sailpoint.ccg.cloud.container.Container.provision(Container.java:303)\n\tat com.sailpoint.ccg.cloud.container.ContainerIntegration.provision(ContainerIntegration.java:156)\n\tat com.sailpoint.ccg.handler.ProvisionHandler.invoke(ProvisionHandler.java:190)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage(CcgPipelineMessageHandler.java:42)\n\tat com.sailpoint.pipeline.server.PipelineServer$InboundQueueListener$MessageHandler.run(PipelineServer.java:369)\n\tat java.base\/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)\n\tat java.base\/java.util.concurrent.FutureTask.run(FutureTask.java:264)\n\tat java.base\/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n\tat java.base\/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n\tat java.base\/java.lang.Thread.run(Thread.java:829)\n","exception_class":"sailpoint.tools.GeneralException","exception_message":"Errors returned from IQService. Before Script returned non-zero exit code : 1 : "},"stack":"ccg","pod":"stg03-useast1","connector-logging":"148","Operation":"Modify","clusterId":"308","buildNumber":"894","apiUsername":"494e1363-6a67-490d-8e5a-5e352dc4b1c8","orgType":"","file":"RPCService.java","encryption":"1266","messageType":"provision","connector-bundle-identityiq":"197","line_number":554,"@version":1,"CB_version":"458","logger_name":"sailpoint.connector.RPCService","mantis-client":"1266","class":"sailpoint.connector.RPCService","ParentOperation":"ProvisioningOperation","clientId":"788","request_milliseconds":"1916","source_host":"89f91d68e9ab","method":"execute","org":"<name>","level":"ERROR","IdentityIQ":"8.0 Build 8c8b048e0b1-20230412-073948","message":"Exception occurred while executing the RPCRequest: Errors returned from IQService. Before Script returned non-zero exit code : 1 : ","pipeline":"1266","@timestamp":"2023-06-23T17:20:44.625Z","NativeIdentity":"999077508","thread_name":"pool-7-thread-15","metrics":"1266","region":"us-east-1","AppType":"Azure Active Directory","Application":"Azure Active Directory Test [source]","request_id":"b610071c22e94f49bef51d85ee3dd486","CB_Type":"connector-bundle-directories","queue":"<tenentCluster>","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

Rule:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
 <Rule language="beanshell" name="Test Distro Group Rule" type="ConnectorBeforeModify">
  <Attributes>
   <Map>
    <entry key="ObjectOrientedScript" value="true" />
    <entry key="disabled" value="false" />
    <entry key="extension" value=".ps1" />
    <entry key="program" value="powershell.exe" />
    <entry key="sourceVersion" value="1.0" />
    <entry key="timeout" value="300" />
   </Map>
  </Attributes>
  <Description>
   This is an IQService afterScript - On a successful provisioning event, this after script should be used as the starting point to
            initiate a separate PowerShell script residing on the client's IQService server.

            Configuration tasks include the following:
             - Set a proper location for the $logFile variable.
             - Set the proper script location and name for the $command variable.
             - Set the $enableDebug flag to $true or $false to toggle debug mode.
  </Description>
  <Source>
<![CDATA[

$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "E:\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$command = "E:\Scripts\test.ps1"
$enableDebug = $true

#====================-------Helper functions-------====================
function LogToFile([String] $info) {
    $info | Out-File $logFile -Append
}

#====================-------Get the request object-------====================
Try{
    if($enableDebug) {
        LogToFile("Entering SailPoint rule")
    }

    Add-type -path E:\IQService\Utils.dll;
 $sReader = New-Object System.IO.StringReader([System.String]$env:Request);
 $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
 $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
    $requestAsString = $requestObject.nativeIdentity

    if($enableDebug) {
        LogToFile("Request as XML object is: $requestAsString")
    }

    #Call the client script
    $command = -join ($command, " -requestString '$requestAsString'")
    Invoke-Expression $command

}Catch{
 $ErrorMessage = $_.Exception.Message
   $ErrorItem = $_.Exception.ItemName
   LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}

if($enableDebug) {
    LogToFile("Exiting SailPoint rule")
}

]]>
  </Source>
 </Rule>

PS Script:

###############################################################################################################################
# SETUP
# Instructions (for each IQService host that could run the script):
#   - Update the path to Utils.dll (can be an unqualified path like "Utils.dll" since script is copied to IQService folder for execution)
#   - Make sure Utils.dll is in the specified folder on each IQService host
#   - Be sure the account that runs IQService has appropriate permissions to create directories and set permissions on them
#   - Be sure to set the "run as" account for the IQService in Windows Service to the above-specified account instead of just the "logged on" user
#   - Set a proper location for the $logFile variable
#   - Set the $enableDebug flag to $true or $false to toggle debug mode
###############################################################################################################################

param (
 [Parameter(Mandatory=$true)][System.String]$requestString
)

#include SailPoint library
Add-Type -Path "E:\IQService\Utils.dll";

#log file info
$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "E:\Scripts\Logs\SourceBeforeCreateScript_$logDate.log"
$enableDebug = $true

###############################################################################################################################
# HELPER FUNCTIONS
###############################################################################################################################

#save logging files to a separate txt file
function LogToFile([String] $info) {
    $info | Out-File $logFile -Append
}

#if we have a non-null account request, get our value; otherwise return nothing
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
    $value = $null;

    if ($request) {
        foreach ($attrib in $request.AttributeRequests) {
            if ($attrib.Name -eq $targetAttribute) {
                $value = $attrib.Value;
                break;
            }
        }
    } else {
        LogToFile("Account request object was null");
    }
    return $value;
}


###############################################################################################################################
# BODY
###############################################################################################################################
if($enableDebug) {
    LogToFile("Entering beforeScript")
}

try {

    ##########################
    # Begin SailPoint protected code -- do not modify this code block
    #
        $sReader = New-Object System.IO.StringReader([System.String]$requestString);
        $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
        $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);

        #debug line for testing
        if($enableDebug) {
            LogToFile("Request object contents:")
            LogToFile($requestObject | Out-String)
        }
    #
    # End SailPoint protected code
    ##########################


    ##########################
    # Begin Client-provided code

    #get the necessary info we need from the accountRequest object
    #as an example: $nativeIdentity = $requestObject.nativeIdentity

    #do whatever work needs to be done here

    #
    # End Client-provided code
}
catch {
    $ErrorMessage = $_.Exception.Message
   $ErrorItem = $_.Exception.ItemName
   LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}

if($enableDebug) {
    LogToFile("Exiting beforeScript")
}

Log:

06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Listening on TLS Port: [5052]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Connection Read Timeout: [15]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "TraceLevel: [3]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "TraceFile: [logme.txt]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Running As: [LocalSystem]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "CommandLine Arguments"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Argument[0] ==>'-s'"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "ServiceName               : IQService-Instance1
Display Name              : SailPoint IQService-Instance1
Configured TLS Port       : 5052
Connection Read Timeout   : 15
Update Interval           : 30
Build version             : IQService-May-2023
Build timestamp           : 05/26/2023 06:19 AM -0500
Build location            : master
Build builder             : jenkins
Build Number              : 523
Executable                : E:\IQService\IQService.exe
File Size                 : 78056
File Date                 : 6/1/2023 8:56:12 AM
Trace Level               : 3 [ debug ]
Secondary Service         : IQService-Instance1-Secondary
Secondary Service TLS Port: 5053
Secondary Service Status  : RUNNING
UpdateService Status      : NOT CONFIGURED

I would suggest checking the following -

1. Check if your IQService/Utils.dll file is unblocked.

   • Right click on Utils.dll file in IQService folder and click on Properties. If it is blocked you will see a checkbox to Unblock it, check that box and Click on Apply.

2. Sometimes, it is the PowerShell execution policy on the server that blocks the generated scripts from running. You can change policy and check if that resolves your issue.

3. Verify your server is not blocking the script execution. Many times we have firewalls, antivirus software etc that block PS script executions. Work with your Network team to fix and resolve these.

Your script looks straight, were you able to execute the script with static value using PS command line and ensure no errors. Also check for the permissions on the IQService folder and files. I’ve seen non-zero exit code many-times and it most cases it’s the code syntax incorrect.

Thank you for the ideas Sharvari. The IQService/Utils.dll is unblocked and policy does not appear to be the issue. We are currently investigating for firewall issues.

Thanks Suresh. We are looking into this now.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.