This topic contains 3 replies, has 2 voices, and was last updated by
April 24, 2017 at 7:57 pm #69426
When updating from WMF 4.0 to WMF 5.1, we now get errors in the DSC event log for our configurations that use encrypted credentials in the MOF files. We followed the specs for creating the encryption/decryption certificate from The DSC Book but are still getting the errors. Even though DSC is throwing errors, the resource which uses the encrypted credentials is still successful. For example, we have a configuration which creates application pools and sets the identity to a service account. The application pools get created just fine and work but every time a consistency check runs, it throws errors. There error we are seeing is as follows:
Message Cannot unprotect message. The input contained no encrypted content. Specify the '-IncludeContext' parameter if you wish to output the original content when no encrypted content is detected.
StackTrack at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.CMS_DecryptMessage(String thumbprint, String encryptedMessage, IStreamsHandler plugInStreamsHandler, String& outputResult, IntPtr& errorInstanceHandle)
This is happening on 2008 R2 and 2012 R2 nodes. I also tried following the instructions for creating a self signed cert from the following article and the error still persists.
Has anybody seen this error before or have any idea why we might be seeing it. The certificate looks like it has all the correct properties.
April 24, 2017 at 11:47 pm #69436ParticipantPoints: 3Rank: Member
Certificates used in WMF4 do not work for WMF5.
Do you have a Enterprise CA you can use? I have not had much luck with self signed certificates.
April 25, 2017 at 1:29 pm #69465
The original certificate I was using was from our CA using all the recommended settings. That is where we first saw the errors. I only tried the self signed cert as a last ditch effort to rule out an issue with the way our CA was issuing the cert.
April 25, 2017 at 1:34 pm #69466
And we are using a new cert that was created with the new WMF 5 specifications.
The topic ‘"Cannot unprotect message" error in WMF 5.1 when encrypting credentials’ is closed to new replies.