new-pssession in Powershell Action Step throws "access denied" error

nbhms · ‎11-29-2023

Trying to run a remote command (just doing this as a test for now, so any command will do) via a Powershell Action step, and getting some odd behavior I'm hoping someone in the support community can help with.

I define connection inline, and use a credential alias I've tested and is known good (more on that below).

If I use the "run on midserver" option, and run this line of code:

$mysession = New-PSSession -computer TESTSERVER2 -credential $cred

The step fails with: "Connecting to remote server TESTSERVER2 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic."

However, if I run the same command on the MID server in an interactive PowerShell session, it works fine - so the permissions, PSremoting, etc, are all set up.

Also, if I choose the "Explicit Remoting" option for the PowerShell step rather than the "run on mid server" option, with the same credential alias and TESTSERVER2 as the target, the powershell script runs fine.

Also, if I choose the MID server option, remark out the 'new-pssession' command, and instead return the contents of $cred, local host name, etc, everything checks out (i.e. the credentials are passed, they are correct, etc).

The "remarks" at the top of the inline script show "new-pssession" as an example of how to use the $cred object, and I see other community posts here of people using it, so I know it should work. And as mentioned, I can set up an explicit remote session to the same server with the same credential alias, and do PSRemoting to the same server from the MID server with the same credentials at the MID server console, so all should be working as far as I can tell, but it isn't.

Any input that can be provided is appreciated.

nbhms · ‎11-30-2023

After doing some more messing about, the issue seems to be ServiceNow passes $cred as type "System.Net.NetworkCredential", and the PowerShell New-Pssession needs a credential of type "PSCredential".

Which means I don't think the ServiceNow example given of "New-PSSession -credential $cred" in the help remarks section at the top of the Command window for a new PowerShell step would ever work . . .

Making the first line of the PowerShell script:

$Credential = new-object PSCredential($cred.GetNetworkCredential().username, (ConvertTo-SecureString $cred.GetNetworkCredential().password -AsPlainText -Force))

and then running "New-PSSession -credential $Credential" works without error.

Sahil Khan1 · ‎04-16-2024

Hello nbhms,

How can i set $cred

nbhms · ‎04-16-2024

Create a Windows credential object (and a credential alias for it) in Service Now.

Then in your Custom Powershell step "connection details" section, set "connection" to be "Define connection inline", and set "credential alias" to be the alias of the Windows credential you created.

Then inside your Powershell script, $cred will be whatever is in that credential object defined in Service Now. You don't have to define it in your script, it's a reserved variable that Service Now will create in the runspace of your PowerShell script that your script can reference. As I mention above though, I've found inconsistencies with it being a "System.Net.NetworkCredential" object vs what a lot of PowerShell commands want, which is a "System.Management.Automation.PSCredential" object.

Sahil Khan1 · ‎04-17-2024

could you please guide me how can i create windows credential object.

is it right syntax to create credential object

$cred = New-Object System.Management.Automation.PSCredential()

please reply on
https://www.servicenow.com/community/developer-forum/powershell-action-step-throws-quot-access-denie...