Error executing PowerShell script via rule in SailPoint IIQ: 'Value cannot be null. Parameter name: s'

victorsantos2 · December 19, 2024, 10:30am

IIQ 8.4

Aux - Invoke Powershell:

  import sailpoint.object.RpcRequest;
  import sailpoint.object.RpcResponse;
  import sailpoint.connector.RPCService;
  import sailpoint.object.Rule;
  import sailpoint.object.Application;
  import org.apache.log4j.Level;
  import org.apache.log4j.Logger;

  Map data = new HashMap();

  Rule rule = context.getObjectByName(Rule.class, "Aux - powershell command" );

  Application ad = context.getObjectByName(Application.class, "Active Directory" ); 

  data.put("Application", ad.getAttributes());
  data.put("postScript", rule); //es postscript por defecto

  RPCService service = new RPCService("10.8.8.8", 5050, false, false); 

  service.setConnectorServices(new sailpoint.connector.DefaultConnectorServices());

  RpcRequest request = new RpcRequest("ScriptExecutor", "runAfterScript", data);
 
  RpcResponse response = service.execute(request);

  return response.toXml();

Hi all,

I’m encountering an issue while trying to execute a PowerShell script using a custom rule in SailPoint IIQ. My goal is to manage the “Out of Office” status for users in Exchange. Here’s the setup and details:

Implementation Details

Rule 1: Aux - PowerShell Command

This rule contains the PowerShell script (.ps1) code that will handle the user status in Exchange.

Rule 2: Aux - Invoke PowerShell

This rule is responsible for invoking the previous rule (Aux - PowerShell Command) and executing it via an RcpRequest on a specified host.

The Issue:

When I execute the second rule (Aux - Invoke PowerShell), I get the following error:

Exception running rule: The application script threw an exception: sailpoint.tools.GeneralException: Errors returned from IQService. Value cannot be null.  
Parameter name: s  
BSF info: Aux-Invoke powershell at line: 0 column: columnNo

What I Have Checked

The PowerShell script works as expected when executed outside SailPoint IIQ.
The RcpRequest host configuration seems correct.
I’ve reviewed both rules to ensure they match the documentation examples, but I cannot pinpoint the issue.

Questions

Has anyone encountered this “Value cannot be null” error before in the context of IQService?
Are there specific configurations or debugging steps I should follow to troubleshoot further?
Could this error be related to how the parameters are being passed between the two rules?

Any guidance or suggestions would be greatly appreciated!

paul_hilchey · December 20, 2024, 4:57am

Your beanshell looks good.

It could be something in your powershell code, or possibly it is not being started with the same environment as when you tested it outside of IIQ.

ryan_toornburg · December 20, 2024, 4:47pm

@victorsantos2 Can you provide a sample of the PS script?

victorsantos2 · December 23, 2024, 12:20pm

Sure Ryan, here is the PS Script:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1732547010259" id="0a00c839938c1ffb8193ac374fec3de8" language="beanshell" modified="1734532647924" name="Aux - powershell command" significantModified="1734532647924">
  <Attributes>
    <Map>
      <entry key="ObjectOrientedScript" value="true"/>
      <entry key="disabled" value="false"/>
      <entry key="extension" value=".ps1"/>
      <entry key="program" value="powershell.exe"/>
      <entry key="timeout" value="1200"/>
    </Map>
  </Attributes>
  <Description>Rule for testing</Description>
  <Source>

  Add-type -path C:\IQService\Utils.dll

Get-Module ExchangeOnlineManagement
 
$Username = "user"
$Password = ConvertTo-SecureString "password" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ($Username, $Password)
 
Connect-ExchangeOnline -Credential $Cred
 
Set-MailboxAutoReplyConfiguration -Identity "[email protected]" -AutoReplyState Enabled -InternalMessage "Out of the office" -ExternalMessage "Out of the office"
  
</Source>
</Rule>

Thank you for your time

victorsantos2 · December 23, 2024, 12:23pm

Hi Paul,

I’m not sure if I understood the second possible reason for the error correctly. Are you referring to whether I tested the script in an environment different from the one it runs on in SailPoint?

Thank you very much for your time. Best regards.

paul_hilchey · December 23, 2024, 9:54pm

Hi Victor,

I was thinking that the IQService may be running as a different user than when you manually ran the script. Depending on how the ExchangeOnlineManagement module is installed, it may not be accessible to all users.

system · February 21, 2025, 9:55pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.