Notifications

107 views

Symptoms

When you use IntegrationHub AD spoke "ActionAddUserToADgroup" Authentication will fail with the error "Authentication failure with the user <username>
Failed while executing ActionAddUserToADGroup.ps1 (Access denied)

Release

Madrid

Cause

When the request is sent from flow designer the PowerShell command executing includes $isDiscovery as true which is causing the issue, this causes the credential to be authenticated against WMI (which fails).

Command executed from flow designer looks like below:

Executing command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy unrestricted -noninteractive -nologo -noprofile -command "& {& 'scripts\PowerShell\PSScript.ps1' -computer '10.10.10.10'   -script 'C:\RP-EW2A-MID01\agent\scripts\PowerShell\ADSpoke\ActionAddUserToADGroup.ps1'  -useCred $true -ismid $false -isDiscovery $true -debug $true -logInfo $false -skipTest $false; exit $LASTEXITCODE}"

 

But if you send the same request using Orchestration workflow $isDiscovery is set as false and authentication is successful because this skips the authentication against WMI so the rest of the script can continue to execute.

Command executed from workflow looks like below:

Executing command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy unrestricted -noninteractive -nologo -noprofile -command "& {& 'scripts\PowerShell\PSScript.ps1' -computer '10.10.10.10'   -script 'C:\RP-EW2A-MID01\agent\scripts\PowerShell\AD\AddUserToADGroup.ps1' 'use_mid_service_account' $false -useCred $true -ismid $false -isDiscovery $false -debug $true -logInfo $false -skipTest $false; exit $LASTEXITCODE}"

Resolution

  • Turn on the MID server debugging (Go to MID server config Parameters and add mid.log.level and value should be debug)
  • Reproduce the issue from Flow Designer and you should able to see below logs in MID logs.
05/21/19 14:22:02 (051) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 DEBUG: Executing command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy unrestricted -noninteractive -nologo -noprofile -command "& {& 'scripts\PowerShell\PSScript.ps1' -computer '10.0.10.10'   -script 'C:\RP-EW2A-MID01\agent\scripts\PowerShell\ADSpoke\ActionAddUserToADGroup.ps1'  -useCred $true -ismid $false -isDiscovery $true -debug $true -logInfo $false -skipTest $false; exit $LASTEXITCODE}"

05/21/19 14:22:02 (051) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 DEBUG: With credential: <userName>

05/21/19 14:22:02 (074) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 DEBUG: Thread name is Powershell is executing...

05/21/19 14:22:03 (334) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 DEBUG: The exit value from waitFor() is 1

05/21/19 14:22:04 (975) ECCQueueMonitor.5 DEBUG: Event: CheckSenderReadyEvent

05/21/19 14:22:04 (975) ECCQueueMonitor.5 DEBUG: Monitor query: state=ready^queue=output^agent=mid.server.MIDSERVER_DEV^sys_created_on>=2019-04-20 12:02:33^ORDERBYpriority^ORDERBYsys_created_on

05/21/19 14:22:05 (357) ECCQueueMonitor.5 DEBUG: Event: RGRPerfMetricEvent

05/21/19 14:22:05 (357) ECCQueueMonitor.5 DEBUG: Number of messages added to threadpool queue in current polling cycle: 0

05/21/19 14:22:05 (357) ECCQueueMonitor.5 DEBUG: Changing polling frequency of ECCQueueMonitor to 40 seconds

05/21/19 14:22:05 (465) ECCQueueMonitor.40 DEBUG: Event: CheckSenderReadyEvent

05/21/19 14:22:05 (466) ECCQueueMonitor.40 DEBUG: Monitor query: state=ready^queue=output^agent=mid.server.MIDSERVER_DEV^sys_created_on>=2019-04-20 12:02:33^ORDERBYpriority^ORDERBYsys_created_on

05/21/19 14:22:05 (507) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 DEBUG: Execution status: failed

05/21/19 14:22:05 (508) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 SEVERE *** ERROR *** Authentication failure with the user <UserName>

05/21/19 14:22:05 (508) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 SEVERE *** ERROR *** Failed while executing ActionAddUserToADGroup.ps1 (Access denied)

05/21/19 14:22:05 (510) ECCQueueMonitor.40 DEBUG: Event: RGRPerfMetricEvent

05/21/19 14:22:05 (510) ECCQueueMonitor.40 DEBUG: Number of messages added to threadpool queue in current polling cycle: 0

05/21/19 14:22:05 (512) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 SEVERE *** ERROR *** Authentication failure with the user <UserName>

05/21/19 14:22:05 (519) Worker-Expedited:IPaaSActionProbe-1aab2321db617b00ce01f9c41d961971 2019-05-21 14:22:02 Tried Credential: name=Reference AD Service Account, affinity: yes, status=failed, sysid=430eb90bdbf8bf00ce01f9c41d961975, username=Corp.Reference.Build\svcMidserverUser2, type=Windows, order=100
  • Once you see the above logs and the error it is mostly due to one of the Action is missing in flow designer.
  • At this point go to Execution Action of Add user to group
  • In execution action add the variable credType and pass the value AD which should resolve the issue, please take a look at the screen shot below

 

Additional Information

Same AdduserToADGroup works fine from workflow without any issue.

Article Information

Last Updated:2019-06-21 11:48:00
Published:2019-06-21