Credentials and ConfigurationNames

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Frank Wagner Frank Wagner 5 months, 1 week ago.

  • Author
    Posts
  • #43940
    Profile photo of Frank Wagner
    Frank Wagner
    Participant

    Hello,

    I first thought that configuration names would be a good option to reuse configurations for different hosts. But I'm really confused how to handle credentials (secured with certificates) without ConfigurationId.

    For example the partial configuration sample on https://msdn.microsoft.com/en-us/powershell/dsc/partialconfigs contains credentials.
    But the generated mof file will be named [ConfigurationName].mof. So if I would like to secure it, I would have to use a certificate with key on all using hosts. Not good.

    On old ConfigurationId mode I will have a separate file for each ConfigurationId ([ConfigurationName].[ConfigurationId].mof so this will work.

    I cannot find any example that use the new AgentId / Configuration Name logic with certificate based encryption – so I currently have the feeling that it is currently not supported. Or I'm missing something?

    Thanks,
    Frank

  • #44701
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So... the name of the generated MOF doesn't matter. You can rename the MOF file. But yes, if you're producing a single MOF for many computers, and it contains an encrypted credential, then every computer would need a copy of the certificate capable of decrypting that credential. I don't know that it's "not good;" that depends a bit upon your particular needs and requirements. ]

    Encrypted credentials are supported in any MOF. It's just every machine using the MOF does need the certificate to decrypt it. That's not a limitation of the ConfigurationName approach per se; it's a limitation on how you're willing to deal with certificates. If you're not okay with multiple machines having one certificate, then obviously it's down to one certificate per machine, which means it's also one MOF per machine. In that case, you _could still use ConfigurationName_, just with each node pulling a unique name. In which case... it's basically no different than the GUIDs, except maybe easier to read the filenames.

  • #44719
    Profile photo of Frank Wagner
    Frank Wagner
    Participant

    Thank you for making this clear. For my understanding decryptions keys have to be a secret of a single communication partner, so I will not share keys.
    I allready have setup a working solution that uses configurationid and partial configurations where the mofs for each machine is generated automatically when a new guid is registered. But I hoped I missed some feature how to handle this easier.

    Thank you,
    Frank

You must be logged in to reply to this topic.