none
MIM 2016: WAL PowerShell Activity: Invalid ExpressionException RRS feed

  • Question

  • I am trying to use a WAL "Run Powershell Script" workflow activity in MIM 2016.  My workflow fails every time because it doesn't like the value I am putting in the "PowerShell Script User Password" Field.

    The tip on workflow form says:

    Specify the password to be used to construct Powershell Credential object. The expected format is:[base64EncodedEncryptedData] | [app:\appSettings\[key],[LocalMachine|CurrentUser]] | [cert:\[LocalMachine|CurrentUser] \my\[thumbprint],base64EncodedEncryptedData]]

    The FIM log says:

    MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.Exceptions.InvalidExpressionException: The expression *mydata* is invalid.

    The failure is occurring in the base64EncodedEncryptedData portion of the value.  It fails whenever it encounters a '+' character in the value.  The '+' is valid base64 character, but the WAL evaluator seems to be treating it as an operator.  I have tried enclosing portions of the value and the entire value in every combination of quotes, brackets, and escape characters to force WAL to treat the character properly, but it just won't take.  I am not coder/developer by training, and I am really struggling to understand how WAL wants this data.

    I could find only 1 other person with an issue like this in a 4 year old thread, and there didn't seem to be a straight answer to it.

    Tuesday, July 21, 2020 3:52 PM

Answers

  • Indeed a regression due to enhancement in the last build. This is now fixed in MIMWAL v2.20.0723.0 build. Please try the latest one.
    • Marked as answer by jamesking5 Thursday, July 23, 2020 3:56 PM
    Thursday, July 23, 2020 1:39 PM
    Owner

All replies

  • Are you following the wiki instructions? Did you use EncryptData.ps1 to get base64EncodedEncryptedData value (that would be using the DPAPI function in that script)? Also any particular reason for going against the recommendation of using a self-signed cert to encrypt the data?
    Tuesday, July 21, 2020 9:32 PM
    Owner
  • I did use the EncryptData.ps1 to generate the base64EncodedEncryptedData value, and it was encrypted with a certificate.  I am filling out the password field in the format [cert:\[LocalMachine|CurrentUser] \my\[thumbprint],base64EncodedEncryptedData]].  I have installed the certificate for both the local machine and for the Mim service account, and I have tried both variables when entering the data in the field.  The event log is very clear that it fails when it encounters a '+' character in the base64EncodedEncryptedData portion of the field.
    Wednesday, July 22, 2020 7:26 PM
  • Seems like a regression in the latest build. Let me check. In the mean time, I've marked it as a pre-release.
    Thursday, July 23, 2020 9:58 AM
    Owner
  • Indeed a regression due to enhancement in the last build. This is now fixed in MIMWAL v2.20.0723.0 build. Please try the latest one.
    • Marked as answer by jamesking5 Thursday, July 23, 2020 3:56 PM
    Thursday, July 23, 2020 1:39 PM
    Owner
  • Thank you for addressing this.
    Thursday, July 23, 2020 3:57 PM