"Decryption failed" between WMF5 DSC host and WMF4 target node

Welcome Forums DSC (Desired State Configuration) "Decryption failed" between WMF5 DSC host and WMF4 target node

This topic contains 1 reply, has 2 voices, and was last updated by

2 years, 2 months ago.

  • Author
  • #64675

    Topics: 1
    Replies: 0
    Points: 1
    Rank: Member


    I`have been working with DSC to automatically deploy and configure Exchange servers. Since our future Exchange environment has to be installed on Windows 2012 R2 I am limited to WMF4 (WMF5 is not supported on Windows 2012 R2 and Exchange 2013/2016 -> the Exchange management Shell breaks)
    Deploying and configuring Exchange in a pure WMF4 or pure WMF5 (DSC host and target nodes have the same version) everything is working fine, either in Pull or Push mode.
    Once I start mixing the WMF enviornments (DSC host = WMF5 & target node = WMF4), the target node can´t decrypt the credentials anymore.

    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocal
    ConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer S099-01-01151 with user sid S-1-5-21-1134438006-2143739420-97094743-500.
    VERBOSE: Executing Get-Action with checksum: DA3803295709FE154A8C80002CBE538E6B09DF5016B29FACD5C2633F2E538579.
    VERBOSE: Executing Get-Action returned result status: GetConfiguration.
    VERBOSE: [S099-01-01152]:                            [] Checksum is different. LCM will execute GetConfiguration.
    VERBOSE: [S099-01-01152]:                            [] Configuration document is pulled from server.
    VERBOSE: [S099-01-01152]:                            [] Applying the configuration document pulled.
    VERBOSE: [S099-01-01152]: LCM:  [ Start  Resource ]  [[xExchWaitForMailboxDatabase]WaitForDB.DAG1DB2]
    VERBOSE: [S099-01-01152]:                            [] Executing Get-Action returned success but didn't return any status.
    Decryption failed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : Windows System Error 87
        + PSComputerName        : s099-01-01152

    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 1.839 seconds

    I configured the certificates according the guidleine: https://msdn.microsoft.com/en-us/powershell/dsc/securemof?f=255&MSPPError=-2147217396

    I know that the way the mof files are encypted has been chaned with version 5.

    WMF4 MOF file password section:

    instance of MSFT_Credential as $MSFT_Credential1ref
    Password = "nMIIB5gYJKoZIhvcNAQcDoIIB1zCCAdMCAQA......

    WMF5 MOF file password section:

    instance of MSFT_Credential as $MSFT_Credential1ref
    Password = "-----BEGIN CMS-----\nMIIB5gYJKoZIhvcNAQcDoIIB1zCCAdMCAQAxggGOMIIBigIBADByMFs

    Questions: Can a WMF4 target node decrypt the password in a MOF file generated by a WMF5 host? Is there a backward compatibility? If not, what is the recommended way to workaround this issue?

  • #64767

    Topics: 13
    Replies: 4872
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    Yeah, there were some changes to the way the certificates were handled in v5, including the DocumentEncryption purpose in the certificate itself. I'm not sure there _is_ a workaround for this; a lot of the v5 stuff did, in fact, break backward compat.

The topic ‘"Decryption failed" between WMF5 DSC host and WMF4 target node’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort