Out of box Active Directory orchestration activity such as 'Add User to Group' that use a credential tag may result in Success even if the activity actually fails due to missing credential (for the tag used).
When a credential with the credential tag that is used in the activity is not found, credentials_debug does not return errors in the probe input record. This causes 'errorMessages' in the raw output of the response received to be null. The post processing script of the activity looks at the response received and if there is a value in 'errorMessages' of the raw output, the activity is set to 'failure', otherwise the activity result is set to 'success'.
An access denied message in the MID server agent log, similar to the one below for 'AddUserToADGroup.ps' is an indication of the issue.
(473) Worker-Standard:PowershellProbe-bc126a0adb99bf0062b0f72eaf9619a2 SEVERE *** ERROR *** Failed while executing AddUserToADGroup.ps1 (Access denied)
Steps to Reproduce
- Edit 'Add User to Group' orchestration activity
- Add a credential tag in step 'Execution Command
- Ensure that a credential with that tag does not exist in the credentials table
- Click on Test Inputs buttion, provide the input values and click on OK
- Wait for the activity to run and complete
- Look at the response received (Raw Output) and notice "null" value under "errorMessages", "credentialDebugInfo".
This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.
Please use the below as a workaround in the meanwhile -
- Ensure that there is no typo in the field 'Credential tag' of the orchestration activity
- Ensure that a credential for the credential tag used in the activity exists.
- Modify the post processing script of the activity and add an additional condition to check for before an activity is set to 'success'.
Related Problem: PRB1342987