Connector Rule that triggers Powershell Script residing on IQServer

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
21

Will you be able to share the powershell script? Error shows that there should be some error in powershell script.

22

11/21/2024 15:01:59 : RpcServer [ Thread-8 ] INFO : “Response From Upgrade Service: <?xml version="1.0" encoding="utf-8"?>






false




”

This is what I got

23 
###############################################################################################################################
# SETUP
# Instructions (for each IQService host that could run the script):
#   - Update the path to Utils.dll (can be an unqualified path like "Utils.dll" since script is copied to IQService folder for execution)
#   - Make sure Utils.dll is in the specified folder on each IQService host
#   - Be sure the account that runs IQService has appropriate permissions to create directories and set permissions on them
#   - Be sure to set the "run as" account for the IQService in Windows Service to the above-specified account instead of just the "logged on" user
#   - Set a proper location for the $logFile variable
#   - Set the $enableDebug flag to $true or $false to toggle debug mode
###############################################################################################################################
param (
[Parameter(Mandatory=$true)][System.String]$requestString,
[Parameter(Mandatory=$true)][System.String]$logFile
)
#include SailPoint library
Add-Type -Path "c:\SailPoint\IQService\Utils.dll";
#log file info
$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "c:\SailPoint\IQService\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$enableDebug = $true
###############################################################################################################################
# HELPER FUNCTIONS
###############################################################################################################################
#save logging files to a separate txt file
function LogToFile([String] $info) {
   $info | Out-File $logFile -Append
}
#if we have a non-null account request, get our value; otherwise return nothing
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
   $value = $null;
   if ($request) {
       foreach ($attrib in $request.AttributeRequests) {
           if ($attrib.Name -eq $targetAttribute) {
               $value = $attrib.Value;
               break;
           }
       }
   } else {
       LogToFile("Account request object was null");
   }
   return $value;
}
###############################################################################################################################
# BODY
###############################################################################################################################
if($enableDebug) {
   LogToFile("Script execution started.")
}
LogToFile("Script is running.")
try {
   ##########################
   # Begin SailPoint protected code -- do not modify this code block
   #
       $sReader = New-Object System.IO.StringReader([System.String]$requestString);
       $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
       $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
       #debug line for testing
       if($enableDebug) {
           LogToFile("Request object contents:")
           LogToFile($requestObject | Out-String)
       }
   #
   # End SailPoint protected code
   ##########################

   ##########################
   # Begin Client-provided code
   #get the necessary info we need from the accountRequest object
   #as an example: $nativeIdentity = $requestObject.nativeIdentity
   # Write basic message indicating script ran
   LogToFile("Script completed successfully.")
   #
   # End Client-provided code
}
catch {
   $ErrorMessage = $_.Exception.Message
   LogToFile("Error: Message = $ErrorMessage")
}
if($enableDebug) {
   LogToFile("Exiting script.")
}
24

I will have a look at this, but before that just want to confirm few things.

Utils.dll and logfile path updated?
Utils.dll file is unblocked?

Thanks.

25

Yes

and Yes

image
image668×165 4.29 KB

26

Try this.

###############################################################################################################################
# SETUP
# Instructions (for each IQService host that could run the script):
#   - Update the path to Utils.dll (can be an unqualified path like "Utils.dll" since script is copied to IQService folder for execution)
#   - Make sure Utils.dll is in the specified folder on each IQService host
#   - Be sure the account that runs IQService has appropriate permissions to create directories and set permissions on them
#   - Be sure to set the "run as" account for the IQService in Windows Service to the above-specified account instead of just the "logged on" user
#   - Set a proper location for the $logFile variable
#   - Set the $enableDebug flag to $true or $false to toggle debug mode
###############################################################################################################################

param (
 [Parameter(Mandatory=$true)][System.String]$requestString
)

#include SailPoint library
Add-Type -Path "C:\SailPoint\IQService\Utils.dll";

#import AD cmdlets
Import-Module activeDirectory

#log file info
$logDate = Get-Date -Format “yyyyMMdd”
$logDateTime = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$logFile = "C:\SailPoint\IQService\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$enableDebug = $true

###############################################################################################################################
# HELPER FUNCTIONS
###############################################################################################################################

#save logging files to a separate txt file
function LogToFile([String] $info) {
    $info | Out-File $logFile -Append
}

#if we have a non-null account request, get our value; otherwise return nothing
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
    $value = $null;
    if ($request) {
        foreach ($attrib in $request.AttributeRequest) {
            if ($attrib.Name -eq $targetAttribute) {
                $value = $attrib.Value;
                LogToFile("attrib value = $value")
                break;
            }
        }
    } else {
        LogToFile("Account request object was null");
    }
    return $value;
}




###############################################################################################################################
# BODY
###############################################################################################################################
#LogToFile("Update Group Log Start Time = $logDateTime")
if($enableDebug) {
    LogToFile("Entering beforeScript")
}

try {

    ##########################
    # Begin SailPoint protected code -- do not modify this code block
    #
        $sReader = New-Object System.IO.StringReader([System.String]$requestString);
        $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
        $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);

        #debug line for testing
        if($enableDebug) {
            LogToFile($requestObject | Out-String)
        }
    #
    # End SailPoint protected code
    ##########################

    ##########################
    # Begin Client-provided code
    #
		
		LogToFile("Script completed successfully.")
		
    # End Client-provided code
}
catch {
    $ErrorMessage = $_.Exception.Message
   $ErrorItem = $_.Exception.ItemName
   LogToFile("Error: Item Time = $logDateTime")
   LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}

if($enableDebug) {
    LogToFile("Exiting beforeScript")
}
LogToFile("Update Group Log End Time = $logDateTime")

Thanks.

27

image
image920×199 6.07 KB

Got new error

28

This powershell script worked for me, i just changed the path of util.dll and log file.

Only thing I could think is the path of util.dll, log file, and util.dll file is unblocked.

Also have you installed the active Directory module on windows server?

Thanks.

29

Actually I removed the AD command as I am concentrating more on generating the file from Sailpoint Provisioning context

###############################################################################################################################
# SETUP
# Instructions (for each IQService host that could run the script):
#   - Update the path to Utils.dll (can be an unqualified path like "Utils.dll" since script is copied to IQService folder for execution)
#   - Make sure Utils.dll is in the specified folder on each IQService host
#   - Be sure the account that runs IQService has appropriate permissions to create directories and set permissions on them
#   - Be sure to set the "run as" account for the IQService in Windows Service to the above-specified account instead of just the "logged on" user
#   - Set a proper location for the $logFile variable
#   - Set the $enableDebug flag to $true or $false to toggle debug mode
###############################################################################################################################

param (
 [Parameter(Mandatory=$true)][System.String]$requestString
)

#include SailPoint library
Add-Type -Path "C:\SailPoint\IQService\Utils.dll";



#log file info
$logDate = Get-Date -Format “yyyyMMdd”
$logDateTime = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$logFile = "C:\SailPoint\IQService\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$enableDebug = $true

###############################################################################################################################
# HELPER FUNCTIONS
###############################################################################################################################

#save logging files to a separate txt file
function LogToFile([String] $info) {
    $info | Out-File $logFile -Append
}

#if we have a non-null account request, get our value; otherwise return nothing
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
    $value = $null;
    if ($request) {
        foreach ($attrib in $request.AttributeRequest) {
            if ($attrib.Name -eq $targetAttribute) {
                $value = $attrib.Value;
                LogToFile("attrib value = $value")
                break;
            }
        }
    } else {
        LogToFile("Account request object was null");
    }
    return $value;
}




###############################################################################################################################
# BODY
###############################################################################################################################
#LogToFile("Update Group Log Start Time = $logDateTime")
if($enableDebug) {
    LogToFile("Entering afterScript")
}

try {

    ##########################
    # Begin SailPoint protected code -- do not modify this code block
    #
        $sReader = New-Object System.IO.StringReader([System.String]$requestString);
        $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
        $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);

        #debug line for testing
        if($enableDebug) {
            LogToFile($requestObject | Out-String)
        }
    #
    # End SailPoint protected code
    ##########################

    ##########################
    # Begin Client-provided code
    #
		
		LogToFile("Script completed successfully.")
		
    # End Client-provided code
}
catch {
    $ErrorMessage = $_.Exception.Message
   $ErrorItem = $_.Exception.ItemName
   LogToFile("Error: Item Time = $logDateTime")
   LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}

if($enableDebug) {
    LogToFile("Exiting beforeScript")
}
LogToFile("Update Group Log End Time = $logDateTime")

Could you please let me know if the above worked for you?

FYI my target AD is not on PREM but azure cloud entra

30

If you have just removed import AD module from what i shared earlier than it will work since you are not calling any AD command in script.

Thanks.

31

Can you please share the screenshot where utils.dll have placed in IQservice folder?

32

Does you IQService service account have appropriate permissions with AD, and is it an AD domain account?

33

image
image596×115 10.2 KB

34

image
image395×250 4.42 KB

Currently logged in as a adminuser

35

Which account you are using to connect IQ service in Sailpoint connector configuration?

36

Check the file / folder permissions of the IQService directory / folder, and the log directory / folder. Make sure your service account can access them.

Likely you’ve installed IQService under one account (yourself or some system admin account), and your service account can’t access IQService’s files.

The IQService’ Windows Service has a “Run As” execution context for the service’s process. To my knowledge, it then ‘impersonates’ with a new execution context that comes in from the provisioning request it receives (which includes the source / application definition, service account username and password). It’s this impersonated process’ execution context that can’t access your IQService folder…I believe.

37

The adminuser I use to log in

38

It s
image
hows as LOG ON AS local System account

image
image267×154 2.69 KB

is this allow check box the issue I am thinking this is causing the problem

39

Try this. Click on This account and enter the account you are using to connect IQservice in connector configuration. I am using it same way.

40

I have tested the PS you provided, it worked fine for me.

Also worked with below config as well.

image
image267×154 2.69 KB