Custom Powershell Credential Error

ddrelincourt · ‎10-10-2017

I'm trying to run a custom powershell activity against a domain controller from the Mid server as part of a requested item workflow. However, each time I run it, I receive credential errors.

The credentials appear to be fine & I can run the commands successfully against the domain controller from the Mid server directly via powershell.

I'm setting the scratchpad variables via a script & then running the powershell activity.

The powershell command is:

The ECC error is:

The RITM workflow context is:

I'm obviously missing something here... Just not sure what it is?

ddrelincourt · ‎10-10-2017

Thanks Terry,

I've added the additional powershell variable as suggested. It's shortened the error but not quite resolved it. See below:

I've also tested with two different powershell approaches. One using the invoke-command & the other using import-session. See below:

terrywang · ‎10-10-2017

Hi Dean,

Please try simple command such as:

ls

to see if it works.

===

If simple command does not work, it will be a issue with credential test.

If simple command works, you have to try the command one by one to find out which one has failed.

(make sure the powershell command works on MID server host before testing using orchestration activity)

===

Please try above.

Create a incident with technical support if required.

Kind Regards,

Terry

ddrelincourt · ‎10-11-2017

Thanks Terry,

I've validated that the custom powershell activity is now working correctly in isolation. There were some issues with variables being passed correctly from the RITM that have now been resolved. When running "test inputs" all works as expected. It's only when I add this activity to a workflow that I get the following error.

Will raise an incident.

Cheers

mev · ‎06-28-2018

This helped me. Thank you!

William Busby · ‎06-29-2018

I realize this is an older thread but it's still being viewed so here's my input as a long-time Windows Server admin. Microsoft has made vast improvements to the security protocols in every release of the Windows Server platform which, while improving security, has added significant complexity in integration with third-party tools like ServiceNow and even their own 'preferred' remote administration tool, PowerShell.

PowerShell remoting has evolved dramatically from PowerShell 3 through 5 and it's paramount to be familiar with the differences between NTLM and Kerberos protocols and their implementation. With NTLM you need to be cognizant of the infamous 'double-hop' limitation. Kerberos mitigates this limitation but is fairly difficult to implement within a single domain, much less multiple, that most Windows environments don't have it implemented ubiquitously. Here are some helpful resources which explain the issues much better than I could:

https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

https://blogs.msdn.microsoft.com/knowledgecast/2007/01/31/the-double-hop-problem/

Must read this next one!

https://docs.microsoft.com/en-us/powershell/scripting/setup/ps-remoting-second-hop?view=powershell-6

If this reply is helpful or answers your question please mark it so. I'm trying to catch up to Chuck Tomasi sometime in this life span.