Powershell Using \$cred

brandonwilson
Giga Contributor

‎05-11-2016 08:10 AM

The mid server service runs using a standard user account and I have a credential setup under Orchestration > Credentials for our admin account that will conduct the powershell orchestration.

I have the following Powershell command that removes a user and I know it works since I have tested on the mid server with the same user information stored in the credentials.

Import-Module ActiveDirectory

Remove-ADGroupMember -Identity "Share" -Members "tuser1" -Confirm:$false -credential $cred

Based on the orchestration wiki $cred uses credentials stored on the credentials table. When I run the command in the workflow, it fails and tells me insufficient rights. I am assuming it is using the mid server user not the Windows user setup in credentials. What is $cred referencing and how can run my powershell command using a different user than the mid server.

Labels:
0 Helpfuls
  • 3,534 Views
8 REPLIES 8

chrisp83
Kilo Expert

‎12-08-2016 02:37 PM

Did you get anywhere with this? I'm trying to do the same thing and have the same issue. It seems like no matter what the powershell script runs as the service account which doesn't have enough permissions to perform the operations I'm trying to do. My user in the credentials table also has enough permission however it fails.



Cheers



Chris


0 Helpfuls

dmfranko
Kilo Guru
In response to chrisp83

‎03-27-2017 05:31 PM

Hey Chris,



Wondering if you ever solved this?


0 Helpfuls

mjakobsen
Kilo Contributor
In response to dmfranko

‎05-23-2017 04:37 AM

I also had a lot of problems with the $cred variable being null. Here is a list of things I had to do to make it work.



  • Make sure your MID server "mid.powershell.local_mid_service_credential_fallback" is set to "False"
  • Make sure your MID server has PowerShell cabability enabled
  • If you have more than one MID server and SN isn't trying to run the script on the correct server (you can see which MID is targeted in the ECC queue), add an IP-Range on the midserver (there are documentation for this)
  • Make sure your custom powershell activity have your MID servers IP listed as "Target host". I never got it working using FQDN.
  • Make sure your Credential is created correctly, and that the username/pw is correct. If you have several credentials for the same MID server, and only one is the correct for this purpose, make a credential tag and apply to the activity.


And lastly I had a problem that wasted a whole day troubleshooting for me. We had made some changes to the orchestration workflow, added a subworkflow etc. Suddenly the authentication was failing again. The ECC queue showed that the FQDN for the MID was being used, not the IP for some reason. Turns out fixing the problem required me to remove the activity from the workflow and add it again..



Side note: I have no idea why authentication doesn't work with FQDN but does with IP. My SN DNS has the server record with the correct IP and everything, so that shouldn't be an issue.


0 Helpfuls

abelal
Tera Contributor
In response to mjakobsen

‎02-22-2024 12:33 AM - edited ‎02-22-2024 12:38 AM

This is what I did to get it working for me.

Connection alias host is 127.0.0.1, so runs on the MID server.

 

abelal_0-1708590733855.pngabelal_1-1708590752844.png

 

 

 

try {
    # this fails
    # a temp generated script in %TEMP% (mid service account) for some strange reason strips out -credential $cred
    # assumption is a parser preprocesses script and actively removes any traces
    New-ADGroup -Name $failParam -GroupCategory Security -GroupScope Global -Path "ou=snow,dc=mylab,dc=com" -credential $cred
}
catch {
    write-host "failed to create group because command was stripped of -credential $cred"
}

# $cred is a PSCredential object "magically" injected in by MID server agent
# to work around the parser we regenerate PSCredential object again
$userName = ($cred).username
$decryptedPassword = (New-Object PSCredential 0, $cred.Password).GetNetworkCredential().Password

$encryptedPassword = ConvertTo-SecureString -String $decryptedPassword -AsPlainText -Force
$customCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName, $encryptedPassword

try {
# despite command being exactly the same in above try statement this succeeds because we're using our custom PSCredential object
    New-ADGroup -Name $someparam -GroupCategory Security -GroupScope Global -Path "ou=snow,dc=mylab,dc=com" -credential $customCredential
} catch {
    Write-Host $_
}

 

 

 

Why does ServiceNow strip out `-credential $cred` from scripts, especially without stating somewhere it does this?

0 Helpfuls