new-pssession in Powershell Action Step throws "access denied" error

nbhms · ‎11-29-2023

Trying to run a remote command (just doing this as a test for now, so any command will do) via a Powershell Action step, and getting some odd behavior I'm hoping someone in the support community can help with.

I define connection inline, and use a credential alias I've tested and is known good (more on that below).

If I use the "run on midserver" option, and run this line of code:

$mysession = New-PSSession -computer TESTSERVER2 -credential $cred

The step fails with: "Connecting to remote server TESTSERVER2 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic."

However, if I run the same command on the MID server in an interactive PowerShell session, it works fine - so the permissions, PSremoting, etc, are all set up.

Also, if I choose the "Explicit Remoting" option for the PowerShell step rather than the "run on mid server" option, with the same credential alias and TESTSERVER2 as the target, the powershell script runs fine.

Also, if I choose the MID server option, remark out the 'new-pssession' command, and instead return the contents of $cred, local host name, etc, everything checks out (i.e. the credentials are passed, they are correct, etc).

The "remarks" at the top of the inline script show "new-pssession" as an example of how to use the $cred object, and I see other community posts here of people using it, so I know it should work. And as mentioned, I can set up an explicit remote session to the same server with the same credential alias, and do PSRemoting to the same server from the MID server with the same credentials at the MID server console, so all should be working as far as I can tell, but it isn't.

Any input that can be provided is appreciated.

nbhms · ‎04-23-2024

If you are using the $cred variable in a custom PowerShell Action in Flow Designer, you don't have to define $cred at all. Service Now does that for you based on the credential alias you specify in the Action when you create it. Once you've selected the credential alias from the drop down list when creating the PowerShell action, you can just reference $cred without creating it.

My first two posts of this thread were around the fact that Service Now seems to define the $cred variable as a variable of type "System.Net.NetworkCredential" and some PowerShell commands need a type "System.Management.Automation.PSCredential". My second post explains converting one to the other.

However, the "$cred" variable itself you never need to define in your PowerShell script (this is assuming you are working in Service Now Flow Designer), because it's a reserved variable that Service Now creates for you.

Jeffrey Barton · ‎01-29-2025

@nbhms working in flow designer and picking the credential isn't working. on any custom script we've built it errors out - I'm going to try the method listed by you in this article but I wonder if in the year you've figured out the real solution to this.

nbhms · ‎01-30-2025

The only solution I've found is the one I posted above, and that is to use the following line to create a new variable for use in "new-pssession"

$Credential = new-object PSCredential($cred.GetNetworkCredential().username, (ConvertTo-SecureString $cred.GetNetworkCredential().password -AsPlainText -Force))

The $cred variable works for just about anything else I want to do on the MID server in Powershell, it just doesn't work with new-pssession unless I run it through that conversion and then use the $credential variable I created.