Adding credentials to "*" causes issues with nodes that don't consume them

This topic contains 1 reply, has 1 voice, and was last updated by Profile photo of Justin King Justin King 7 months, 4 weeks ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #34792
    Profile photo of Justin King
    Justin King
    Participant

    Hopefully the title makes sense, but the short of it: if i add credentials to the "*" node in the configuraitondata file, the resulting configuration will fail if a node doesn't have a certificate, even if the resulting mof doesn't need to encrypt any passwords.

    Better example:

    $MyHosts = @{ 
        AllNodes = @(
            
            @{ 
                NodeName = "randomnode 1"
                Service = 'ActiveDirectory'
                Thumbprint = "12345abcd"
                CertificateFile = "env:nope too lazy"
            },
    
         @{ 
                NodeName = "randomnode 2"
                Service = 'FileServer'
            }
     );
    }
    

    So in this case I have two nodes, but only one has certificate information because only the "ActiveDirectory" service will need it to encrypt passwords. So lets make our config ...

    Configuration MasterConfig {
      Node $AllNodes.Where{$_.Service -eq "ActiveDirectory"}.NodeName {
            My_Composite_Dc_Config DCConfig
            {
                DomainName = "contoso.com"
                DCSafeModeAdministratorCred = $Node.DCSafeModeAdministratorCred
                DCDomainCred = $Node.DCDomainCred
                DCDNSDelegationCred = $Node.DCDNSDelegationCred
            }
        }
    

    Now, what I've been doing, is right before I run my configuration with configurationdata ... I manipulate it rather simply by running a script that adds a "*" entry if it's missing to the hashtable ... which contains all the various creds that could be used.

    My HOPE was that both nodes would compile mofs properly. Only the first needed the passwords so only the first should need thumbprint/cert info. What's happening however is the second node bombs:

    "ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'DomainUserCredential' OF TYPE 'xWaitForADDomain':
    Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, "

    But why is it even trying? "DCConfig" composite resource (which contains the xWaitForADDomain resource) should be skipped? Adding cert info the the second resource _works_ ... and the resulting mof does NOT contain domaincontroller/password info.

    Why does it seem to fly through every composite resource even if the configurationdata doesn't apply?

    #34793
    Profile photo of Justin King
    Justin King
    Participant

    I dont see a delete option ... but I got the problem solved. Ended up being completely misdiagnosed issue on my part.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.