"Decryption failed" between WMF5 DSC host and WMF4 target node

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 7 months ago.

  • Author
  • #64675

    Markus Halbedel


    I`have been working with DSC to automatically deploy and configure Exchange servers. Since our future Exchange environment has to be installed on Windows 2012 R2 I am limited to WMF4 (WMF5 is not supported on Windows 2012 R2 and Exchange 2013/2016 -> the Exchange management Shell breaks)
    Deploying and configuring Exchange in a pure WMF4 or pure WMF5 (DSC host and target nodes have the same version) everything is working fine, either in Pull or Push mode.
    Once I start mixing the WMF enviornments (DSC host = WMF5 & target node = WMF4), the target node can´t decrypt the credentials anymore.

    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocal
    ConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer S099-01-01151 with user sid S-1-5-21-1134438006-2143739420-97094743-500.
    VERBOSE: Executing Get-Action with checksum: DA3803295709FE154A8C80002CBE538E6B09DF5016B29FACD5C2633F2E538579.
    VERBOSE: Executing Get-Action returned result status: GetConfiguration.
    VERBOSE: [S099-01-01152]:                            [] Checksum is different. LCM will execute GetConfiguration.
    VERBOSE: [S099-01-01152]:                            [] Configuration document is pulled from server.
    VERBOSE: [S099-01-01152]:                            [] Applying the configuration document pulled.
    VERBOSE: [S099-01-01152]: LCM:  [ Start  Resource ]  [[xExchWaitForMailboxDatabase]WaitForDB.DAG1DB2]
    VERBOSE: [S099-01-01152]:                            [] Executing Get-Action returned success but didn't return any status.
    Decryption failed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : Windows System Error 87
        + PSComputerName        : s099-01-01152

    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 1.839 seconds

    I configured the certificates according the guidleine: https://msdn.microsoft.com/en-us/powershell/dsc/securemof?f=255&MSPPError=-2147217396

    I know that the way the mof files are encypted has been chaned with version 5.

    WMF4 MOF file password section:

    instance of MSFT_Credential as $MSFT_Credential1ref
    Password = "nMIIB5gYJKoZIhvcNAQcDoIIB1zCCAdMCAQA......

    WMF5 MOF file password section:

    instance of MSFT_Credential as $MSFT_Credential1ref
    Password = "-----BEGIN CMS-----\nMIIB5gYJKoZIhvcNAQcDoIIB1zCCAdMCAQAxggGOMIIBigIBADByMFs

    Questions: Can a WMF4 target node decrypt the password in a MOF file generated by a WMF5 host? Is there a backward compatibility? If not, what is the recommended way to workaround this issue?

  • #64767

    Don Jones

    Yeah, there were some changes to the way the certificates were handled in v5, including the DocumentEncryption purpose in the certificate itself. I'm not sure there _is_ a workaround for this; a lot of the v5 stuff did, in fact, break backward compat.

You must be logged in to reply to this topic.