PowerShell Script Execution in Workflows does not execute AD commands present in the PS script

I am trying to utilize new PowerShell Script Execution capability in Workflows ( New Capability: PowerShell Script Execution in Workflows ) to execute script which internally connects to AD using PowerShell AD commands(New-ADUser, Get-ADUser).

The script executes as expected when run from the PowerShell console within the windows server. But through workflow even though the script is triggered, the AD commands in the script are not getting executed and throws below exception.

“Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.”

Has anyone else able to utilize the PowerShell script execution feature to execute scripts containing AD commands.

Did you verify the Active Directory PowerShell module is installed on the server running the script? The AD cmdlets will not work otherwise. If not, you may have to install RSAT or ADDS on that server. I would remote into the server and try some basic cmdlets (Get-ADUser or something like that) and see if it works.

Suggest having a look at the comments on here, as some people mentioned some ports may need to be opened or that it is limited to static variables…etc New Capability: PowerShell Script Execution in Workflows - Announcements / Product News - SailPoint Developer Community

Hi Vincent ADDS is installed in the server and the script runs fine when it is triggered in the server using Powershell ISE. Only when triggered from IDN workflow AD commands in the script are failing.

Hi Adrien, ports mentioned are open. Moreover, the PowerShell script is triggered from workflow, only the AD commands like (Get-ADUser etc) present in the script are failing

Hi @SoumyaVaramballi ,

Were you able to resolve this issue? I see the same error

Hi Soumya,

I am successfully able to execute the script using Workflow. Could you please post the script and let us know what you are doing in the same and at what point you see the error ?

image1890×754 93 KB

Hi Rakesh,

Its a simple script where we are trying to get user details from Active Directory using Get-ADUser command. Script runs until the Get-ADUser command the fails with below error

“Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.”

Also the script executes fine when the same is triggered from powershell ISE within the server but fails only when triggered from workflow exactly at Get-ADUser command.

Sample script

param (
    [string]$name

try {
    # Define user properties
    $scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
    $logFile = Join-Path $scriptDir 'Test.log'

    $timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
    $logEntry = "$timestamp - Script execution started with arguments name $name "
    Add-Content -Path $logFile -Value $logEntry
  
	###Script Fails with below step when triggered from workflow###

    $testUserdetails =  Get-ADUser -Identity $name  


    $timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
    $logEntry = "$timestamp - User detauiils retrieved for $name"
    Add-Content -Path $logFile -Value $logEntry

    # Return response
    $response = @{
        Status = "Success"
        Message = $testUserdetails.DistinguishedName
    }
}
catch {
    $timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
    $logEntry = "$timestamp - Get-ADUser Failed for $name"
    Add-Content -Path $logFile -Value $logEntry
    $response = @{
        Status = "Error"
        Message = $_.Exception.Message
    }
}

# Output the response
$response | ConvertTo-Json -Depth 3

Not Yet Priya. Still unable to execute any AD commands

@SoumyaVaramballi try switching the “Authentication Type” from NTLM to Kerberos and specify your DC server name and domain name in Kerberos details

Hi @SoumyaSoumya,

I am sorry for replying late. I did configure your script in my machine and it is working fine without any issues.

Please find attached workflow for more details which you can try to test and let us know if it still gives you any error.

Also in your script you are missing ) bracket for the below
param (
[string]$name

Please let us know if you are still facing issues.

PowershellScriptExecution20251112.json (2.4 KB)

image553×529 33.3 KB

Workflow Input:
{
“identity”: {
“id”: “ee769173319b41d19ccec6cea52f237b”,
“name”: “john.doe”,
“type”: “IDENTITY”
},
“changes”: [
{
“attribute”: “department”,
“oldValue”: “sales”,
“newValue”: “marketing”
},
{
“attribute”: “manager”,
“oldValue”: {
“id”: “ee769173319b41d19ccec6c235423237b”,
“name”: “william.wilson”,
“type”: “IDENTITY”
},
“newValue”: {
“id”: “ee769173319b41d19ccec6c235423236c”,
“name”: “ed.engineer”,
“type”: “IDENTITY”
}
},
{
“attribute”: “email”,
“oldValue”: “john.doe@hotmail.com”,
“newValue”: “john.doe@gmail.com”
}
]
}

Workflow Output:
[
{
“type”: “WorkflowExecutionStarted”,
“timestamp”: “2025-11-12T07:27:51.717049139Z”,
“attributes”: {
“input”: {
“changes”: [
{
“attribute”: “department”,
“newValue”: “marketing”,
“oldValue”: “sales”
},
{
“attribute”: “manager”,
“newValue”: {
“id”: “ee769173319b41d19ccec6c235423236c”,
“name”: “ed.engineer”,
“type”: “IDENTITY”
},
“oldValue”: {
“id”: “ee769173319b41d19ccec6c235423237b”,
“name”: “william.wilson”,
“type”: “IDENTITY”
}
},
{
“attribute”: “email”,
“newValue”: “john.doe@gmail.com”,
“oldValue”: “john.doe@hotmail.com”
}
],
“identity”: {
“id”: “ee769173319b41d19ccec6cea52f237b”,
“name”: “john.doe”,
“type”: “IDENTITY”
}
}
}
},
{
“type”: “ActivityTaskScheduled”,
“timestamp”: “2025-11-12T07:27:51.765562541Z”,
“attributes”: {
“displayName”: “Windows Server”,
“input”: {
“inputForPag_address”: “192.168.56.108”,
“inputForPag_auth_password”: “”,
“inputForPag_auth_type”: “ntlm”,
“inputForPag_auth_username”: “”,
“inputForPag_command_timeout_seconds”: 30,
“inputForPag_configuration_name”: “Microsoft.PowerShell”,
“inputForPag_kdc_address”: “”,
“inputForPag_kdc_port”: 88,
“inputForPag_kdc_protocol”: “tcp”,
“inputForPag_kdc_realm”: “”,
“inputForPag_output_format”: “json”,
“inputForPag_script_arguments”: {
“name”: “CN=Cheryl Cruz,OU=Munich,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com”
},
“inputForPag_script_path”: “C:\SailPoint\getPerms.ps1”,
“inputForPag_use_ssl”: false,
“inputForPag_verify_cert”: false,
“pagCommandType”: “pag:windows_server:execute_powershell_script”,
“pagInstanceId”: “c04af2a0-f64b-4d7e-9210-5c0a4ebcac66”,
“pagSpecId”: “7e479f41-e367-4e20-85c8-9e2936aa4658”,
“param_connType”: “paramInline”,
“param_credential”: {
“mapping”: {
“auth_password”: “password”,
“auth_username”: “username”
},
“paramID”: “73a26c18-bf25-4886-9bd4-a77f072f1692”,
“paramType”: “1.1”,
“refID”: “5111efbe-2355-4771-b350-9dca0a97479e”
},
“param_credentialType”: “paramSPS”,
“param_kerberos”: {
“mapping”: {
“kdc_address”: “kdcAddress”,
“kdc_port”: “port”,
“kdc_protocol”: “transport”,
“kdc_realm”: “realm”
},
“paramID”: “”,
“paramType”: “2.5”
},
“param_kerberosType”: “paramInline”
},
“stepName”: “windowsServer”,
“task”: “sp:pag-windows-server”,
“technicalName”: “Windows Server”
}
},
{
“type”: “ActivityTaskStarted”,
“timestamp”: “2025-11-12T07:27:51.776366042Z”,
“attributes”: {
“attempts”: 1,
“displayName”: “Windows Server”,
“stepName”: “windowsServer”,
“task”: “sp:pag-windows-server”,
“technicalName”: “Windows Server”
}
},
{
“type”: “ActivityTaskCompleted”,
“timestamp”: “2025-11-12T07:27:58.519975771Z”,
“attributes”: {
“displayName”: “Windows Server”,
“result”: {
“count”: 1,
“data”: {
“Message”: “CN=Cheryl Cruz,OU=Munich,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com”,
“Status”: “Success”
},
“encrypted”: false
},
“stepName”: “windowsServer”,
“task”: “sp:pag-windows-server”,
“technicalName”: “Windows Server”
}
},
{
“type”: “ActivityTaskScheduled”,
“timestamp”: “2025-11-12T07:27:58.578449483Z”,
“attributes”: {
“displayName”: “End Step - Success”,
“input”: {},
“stepName”: “End Step - Success”,
“task”: “sp:internal:operator”,
“technicalName”: “End Step - Success”
}
},
{
“type”: “ActivityTaskStarted”,
“timestamp”: “2025-11-12T07:27:58.590237793Z”,
“attributes”: {
“attempts”: 1,
“displayName”: “End Step - Success”,
“stepName”: “End Step - Success”,
“task”: “sp:internal:operator”,
“technicalName”: “End Step - Success”
}
},
{
“type”: “ActivityTaskCompleted”,
“timestamp”: “2025-11-12T07:27:58.603463719Z”,
“attributes”: {
“displayName”: “End Step - Success”,
“result”: {},
“stepName”: “End Step - Success”,
“task”: “sp:internal:operator”,
“technicalName”: “End Step - Success”
}
},
{
“type”: “WorkflowExecutionCompleted”,
“timestamp”: “2025-11-12T07:27:58.627207023Z”,
“attributes”: {
“result”: {
“ffb5ffc5-9230-4f22-ba28-11656b861d78”: “019a76f6-b7a5-70bc-b735-b84258694191”,
“trigger”: {
“changes”: [
{
“attribute”: “department”,
“newValue”: “marketing”,
“oldValue”: “sales”
},
{
“attribute”: “manager”,
“newValue”: {
“id”: “ee769173319b41d19ccec6c235423236c”,
“name”: “ed.engineer”,
“type”: “IDENTITY”
},
“oldValue”: {
“id”: “ee769173319b41d19ccec6c235423237b”,
“name”: “william.wilson”,
“type”: “IDENTITY”
}
},
{
“attribute”: “email”,
“newValue”: “john.doe@gmail.com”,
“oldValue”: “john.doe@hotmail.com”
}
],
“identity”: {
“id”: “ee769173319b41d19ccec6cea52f237b”,
“name”: “john.doe”,
“type”: “IDENTITY”
}
},
“windowsServer”: {
“error”: null,
“result”: {
“count”: 1,
“data”: {
“Message”: “CN=Cheryl Cruz,OU=Munich,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com”,
“Status”: “Success”
},
“encrypted”: false
},
“warnings”: null
}
}
}
}
]

Thanks Rakesh.

Tried something similar. I get below error and is unable to hit the windows server,

[ConnectorError] handleKerberosAuthentication: write krb5 ccache: obtain tgt: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (6) KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database

Should we set the auth_user as the SPN in kdc.

Regards,

Soumya

Hi @SoumyaVaramballi ,

Did you manage to resolve this issue? I’ve managed to authenticate using Kerberos. This discussion has some info on this topic, my issue was that the username contained AD domain.

I did run into another issue that executing powershell commands doesn’t work unless the credentials of the authenticated user are passed in the AD command (e.g. get-ADUsers Get-ADUser -Identity $user -credentials $cred).

Does anybody have some idea what additional configuration is required to achieve this without passing the credentials in the script?