Adding credentials to "*" causes issues with nodes that don't consume them

Welcome Forums DSC (Desired State Configuration) Adding credentials to "*" causes issues with nodes that don't consume them

This topic contains 1 reply, has 1 voice, and was last updated by

2 years, 11 months ago.

  • Author
  • #34792

    Points: 0
    Rank: Member

    Hopefully the title makes sense, but the short of it: if i add credentials to the "*" node in the configuraitondata file, the resulting configuration will fail if a node doesn't have a certificate, even if the resulting mof doesn't need to encrypt any passwords.

    Better example:

    $MyHosts = @{ 
        AllNodes = @(
                NodeName = "randomnode 1"
                Service = 'ActiveDirectory'
                Thumbprint = "12345abcd"
                CertificateFile = "env:nope too lazy"
                NodeName = "randomnode 2"
                Service = 'FileServer'

    So in this case I have two nodes, but only one has certificate information because only the "ActiveDirectory" service will need it to encrypt passwords. So lets make our config ...

    Configuration MasterConfig {
      Node $AllNodes.Where{$_.Service -eq "ActiveDirectory"}.NodeName {
            My_Composite_Dc_Config DCConfig
                DomainName = ""
                DCSafeModeAdministratorCred = $Node.DCSafeModeAdministratorCred
                DCDomainCred = $Node.DCDomainCred
                DCDNSDelegationCred = $Node.DCDNSDelegationCred

    Now, what I've been doing, is right before I run my configuration with configurationdata ... I manipulate it rather simply by running a script that adds a "*" entry if it's missing to the hashtable ... which contains all the various creds that could be used.

    My HOPE was that both nodes would compile mofs properly. Only the first needed the passwords so only the first should need thumbprint/cert info. What's happening however is the second node bombs:

    "ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'DomainUserCredential' OF TYPE 'xWaitForADDomain':
    Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, "

    But why is it even trying? "DCConfig" composite resource (which contains the xWaitForADDomain resource) should be skipped? Adding cert info the the second resource _works_ ... and the resulting mof does NOT contain domaincontroller/password info.

    Why does it seem to fly through every composite resource even if the configurationdata doesn't apply?

  • #34793

    Points: 0
    Rank: Member

    I dont see a delete option ... but I got the problem solved. Ended up being completely misdiagnosed issue on my part.

The topic ‘Adding credentials to "*" causes issues with nodes that don't consume them’ is closed to new replies.