Author Posts

March 30, 2017 at 7:59 pm

Hi Everyone,

I have successfully encrypted my first set of credentials within a DSC configuration using a Certificate. I needed to encrypt the credentials for a service account running an App Pool. But I have 12 different App Pools running on a single machine in one environment. Times this by 4(or more) and now I have 48 credentials that I must encrypt.

What are your recommendations on encrypting multiple Credentials in one DSC configuration? Can you provide an example?

xWebAppPool Example
{
Name = "ExampleAppPool"
State = "Started"
identityType = "SpecificUser"
Credential = $ExampleCredential
}

March 31, 2017 at 12:36 pm

You'd do it the same way you did the first one ;). Any PSCredential object will be encrypted during MOF creation, provided you have a certificate set up, which you do. You only need the one certificate to actually DO the encryption, so this shouldn't be any more difficult than doing one credential.

April 3, 2017 at 3:49 pm

Hi Don,

I understand. I forgot to mention one critical piece of information here. Sorry about that. I am trying to pass the PSCredential's to the DSC configuration but they are either coming up Empty or it still prompts me for a password.

However, this approach seems odd to me because I would have 30-50+ user accounts/passwords to pass-through depending on the environment because our Application Pools run under specific domain user accounts. I would think there is an easier way. Any suggestions?

$configData = @{
    AllNodes = @{
                    Node = "TestMachine.rb.local"
                    CertificateFile = "C:\PublicKeys\TestMachine.cer"
                    Thumbprint = "309r80w93809384089jhhehe3h3k3h3k"
    }
}

Configuration TestExample 
{
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred1,
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred2
    )

    Node "TestMachine.rb.local"
    {

        File Example 
        {
            DestinationPath = "C:\somePath"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred1
        }

        File Example 
        {
            DestinationPath = "C:\somePath"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred2
        }
    }
}

$user1 = "domain\user"
$pass1 = ConvertTo-secureString "password1" -AsPlainText -Force
$Credential1 = New-object System.Management.Automation.PSCredential([string]"$user1",[SecureString] $pass1)

$user2 = "domain\user"
$pass2 = ConvertTo-secureString "password2" -AsPlainText -Force
$Credential2 = New-object System.Management.Automation.PSCredential([string]"$user2",[SecureString] $pass2)

TestExample -ExampleCred1 "$Credential1" -ExampleCred2 "Credential2" -output "C:\Temp" -ConfigurationData $configData

April 3, 2017 at 4:21 pm

Hi again Don,

So I finally got it to work. However I still think there is a better way to pass in domain creds then to secure each cred into a variable and pass it in. Anyhow the reason why I was getting blank credentials was because when I was executing the DSC configuration to create the .mof it was not detecting my parameters. It was until I moved the Import-DSCResource line from above the param statement to below the param statement. That seems strange to me. I provided my code below.

Still instead of me writing out each Service account user/pass and passing them in, do you know of a better approach?

Full DSC Configuration:



$configData = `
@{
    AllNodes = @(
                    @{
                    NodeName = "TestMachine.rb.local"
                    CertificateFile = "C:\PublicKeys\TestMachine.cer"
                    Thumbprint = "aidjf;adijf;alsdkjf;aidhf;asih"  ##Intentionally overwritten
                    PSDSCAllowDomainUser = $true
                    }

                    @{
                    NodeName = "*"
                    }
                );
}

Configuration TestExample 
{
   
Import-DscResource –ModuleName 'PSDesiredStateConfiguration' ##Original location but I moved it below.
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred1,
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred2
    )
    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'

    Node ($AllNodes).NodeName
    {

        File Example1 
        {
            DestinationPath = "C:\Path1"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred1
        }

        File Example2 
        {
            DestinationPath = "C:\Path2"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred2
        }
    }
}

$user1 = "domain\user"
$pass1 = ConvertTo-secureString "password1" -AsPlainText -Force
$Credential1 = New-object System.Management.Automation.PSCredential([string]"$user1",[SecureString] $pass1)

$user2 = "domain\user"
$pass2 = ConvertTo-secureString "password2" -AsPlainText -Force
$Credential2 = New-object System.Management.Automation.PSCredential([string]"$user2",[SecureString] $pass2)

TestExample -ExampleCred1 $Credential1 -ExampleCred2 $Credential2 -output "C:\Temp" -ConfigurationData $configData

April 3, 2017 at 4:23 pm

No, that's the only way without getting into a third party key vault. That's what you're wanting; it just ain't built into Windows.