"Cannot unprotect message" error in WMF 5.1 when encrypting credentials

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Matt McElreath Matt McElreath 2 months, 4 weeks ago.

  • Author
    Posts
  • #69426
    Profile photo of Matt McElreath
    Matt McElreath
    Participant

    When updating from WMF 4.0 to WMF 5.1, we now get errors in the DSC event log for our configurations that use encrypted credentials in the MOF files. We followed the specs for creating the encryption/decryption certificate from The DSC Book but are still getting the errors. Even though DSC is throwing errors, the resource which uses the encrypted credentials is still successful. For example, we have a configuration which creates application pools and sets the identity to a service account. The application pools get created just fine and work but every time a consistency check runs, it throws errors. There error we are seeing is as follows:

    Job :
    Message Cannot unprotect message. The input contained no encrypted content. Specify the '-IncludeContext' parameter if you wish to output the original content when no encrypted content is detected.
    HResult -2146233087
    StackTrack at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
    at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
    at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
    at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
    at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
    at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.CMS_DecryptMessage(String thumbprint, String encryptedMessage, IStreamsHandler plugInStreamsHandler, String& outputResult, IntPtr& errorInstanceHandle)

    This is happening on 2008 R2 and 2012 R2 nodes. I also tried following the instructions for creating a self signed cert from the following article and the error still persists.

    https://msdn.microsoft.com/en-us/powershell/dsc/securemof

    Has anybody seen this error before or have any idea why we might be seeing it. The certificate looks like it has all the correct properties.

  • #69436
    Profile photo of David Jones
    David Jones
    Participant

    Certificates used in WMF4 do not work for WMF5.
    Do you have a Enterprise CA you can use? I have not had much luck with self signed certificates.

    • #69465
      Profile photo of Matt McElreath
      Matt McElreath
      Participant

      The original certificate I was using was from our CA using all the recommended settings. That is where we first saw the errors. I only tried the self signed cert as a last ditch effort to rule out an issue with the way our CA was issuing the cert.

    • #69466
      Profile photo of Matt McElreath
      Matt McElreath
      Participant

      And we are using a new cert that was created with the new WMF 5 specifications.

You must be logged in to reply to this topic.