I first thought that configuration names would be a good option to reuse configurations for different hosts. But I'm really confused how to handle credentials (secured with certificates) without ConfigurationId.
For example the partial configuration sample on https://msdn.microsoft.com/en-us/powershell/dsc/partialconfigs contains credentials.
On old ConfigurationId mode I will have a separate file for each ConfigurationId ([ConfigurationName].[ConfigurationId].mof so this will work.
I cannot find any example that use the new AgentId / Configuration Name logic with certificate based encryption – so I currently have the feeling that it is currently not supported. Or I'm missing something?
So... the name of the generated MOF doesn't matter. You can rename the MOF file. But yes, if you're producing a single MOF for many computers, and it contains an encrypted credential, then every computer would need a copy of the certificate capable of decrypting that credential. I don't know that it's "not good;" that depends a bit upon your particular needs and requirements. ]
Encrypted credentials are supported in any MOF. It's just every machine using the MOF does need the certificate to decrypt it. That's not a limitation of the ConfigurationName approach per se; it's a limitation on how you're willing to deal with certificates. If you're not okay with multiple machines having one certificate, then obviously it's down to one certificate per machine, which means it's also one MOF per machine. In that case, you _could still use ConfigurationName_, just with each node pulling a unique name. In which case... it's basically no different than the GUIDs, except maybe easier to read the filenames.
Thank you for making this clear. For my understanding decryptions keys have to be a secret of a single communication partner, so I will not share keys.
You must be logged in to reply to this topic.