DSC Encrypting multiple Credentials

This topic contains 4 replies, has 2 voices, and was last updated by  Don Jones 5 months, 3 weeks ago.

  • Author
    Posts
  • #67641

    Michael
    Participant

    Hi Everyone,

    I have successfully encrypted my first set of credentials within a DSC configuration using a Certificate. I needed to encrypt the credentials for a service account running an App Pool. But I have 12 different App Pools running on a single machine in one environment. Times this by 4(or more) and now I have 48 credentials that I must encrypt.

    What are your recommendations on encrypting multiple Credentials in one DSC configuration? Can you provide an example?

    xWebAppPool Example
    {
    Name = "ExampleAppPool"
    State = "Started"
    identityType = "SpecificUser"
    Credential = $ExampleCredential
    }

  • #67671

    Don Jones
    Keymaster

    You'd do it the same way you did the first one ;). Any PSCredential object will be encrypted during MOF creation, provided you have a certificate set up, which you do. You only need the one certificate to actually DO the encryption, so this shouldn't be any more difficult than doing one credential.

  • #67789

    Michael
    Participant

    Hi Don,

    I understand. I forgot to mention one critical piece of information here. Sorry about that. I am trying to pass the PSCredential's to the DSC configuration but they are either coming up Empty or it still prompts me for a password.

    However, this approach seems odd to me because I would have 30-50+ user accounts/passwords to pass-through depending on the environment because our Application Pools run under specific domain user accounts. I would think there is an easier way. Any suggestions?

    $configData = @{
        AllNodes = @{
                        Node = "TestMachine.rb.local"
                        CertificateFile = "C:\PublicKeys\TestMachine.cer"
                        Thumbprint = "309r80w93809384089jhhehe3h3k3h3k"
        }
    }
    
    Configuration TestExample 
    {
        param
        (
            [Parameter(Mandatory=$true)]
            [ValidateNotNullorEmpty()]
            [PsCredential] $ExampleCred1,
            [Parameter(Mandatory=$true)]
            [ValidateNotNullorEmpty()]
            [PsCredential] $ExampleCred2
        )
    
        Node "TestMachine.rb.local"
        {
    
            File Example 
            {
                DestinationPath = "C:\somePath"
                SourcePath = "C:\NewPath"
                Credential = $ExampleCred1
            }
    
            File Example 
            {
                DestinationPath = "C:\somePath"
                SourcePath = "C:\NewPath"
                Credential = $ExampleCred2
            }
        }
    }
    
    $user1 = "domain\user"
    $pass1 = ConvertTo-secureString "password1" -AsPlainText -Force
    $Credential1 = New-object System.Management.Automation.PSCredential([string]"$user1",[SecureString] $pass1)
    
    $user2 = "domain\user"
    $pass2 = ConvertTo-secureString "password2" -AsPlainText -Force
    $Credential2 = New-object System.Management.Automation.PSCredential([string]"$user2",[SecureString] $pass2)
    
    TestExample -ExampleCred1 "$Credential1" -ExampleCred2 "Credential2" -output "C:\Temp" -ConfigurationData $configData
    
  • #67791

    Michael
    Participant

    Hi again Don,

    So I finally got it to work. However I still think there is a better way to pass in domain creds then to secure each cred into a variable and pass it in. Anyhow the reason why I was getting blank credentials was because when I was executing the DSC configuration to create the .mof it was not detecting my parameters. It was until I moved the Import-DSCResource line from above the param statement to below the param statement. That seems strange to me. I provided my code below.

    Still instead of me writing out each Service account user/pass and passing them in, do you know of a better approach?

    Full DSC Configuration:

    
    
    $configData = `
    @{
        AllNodes = @(
                        @{
                        NodeName = "TestMachine.rb.local"
                        CertificateFile = "C:\PublicKeys\TestMachine.cer"
                        Thumbprint = "aidjf;adijf;alsdkjf;aidhf;asih"  ##Intentionally overwritten
                        PSDSCAllowDomainUser = $true
                        }
    
                        @{
                        NodeName = "*"
                        }
                    );
    }
    
    Configuration TestExample 
    {
       
    Import-DscResource –ModuleName 'PSDesiredStateConfiguration' ##Original location but I moved it below.
        param
        (
            [Parameter(Mandatory=$true)]
            [ValidateNotNullorEmpty()]
            [PsCredential] $ExampleCred1,
            [Parameter(Mandatory=$true)]
            [ValidateNotNullorEmpty()]
            [PsCredential] $ExampleCred2
        )
        Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    
        Node ($AllNodes).NodeName
        {
    
            File Example1 
            {
                DestinationPath = "C:\Path1"
                SourcePath = "C:\NewPath"
                Credential = $ExampleCred1
            }
    
            File Example2 
            {
                DestinationPath = "C:\Path2"
                SourcePath = "C:\NewPath"
                Credential = $ExampleCred2
            }
        }
    }
    
    $user1 = "domain\user"
    $pass1 = ConvertTo-secureString "password1" -AsPlainText -Force
    $Credential1 = New-object System.Management.Automation.PSCredential([string]"$user1",[SecureString] $pass1)
    
    $user2 = "domain\user"
    $pass2 = ConvertTo-secureString "password2" -AsPlainText -Force
    $Credential2 = New-object System.Management.Automation.PSCredential([string]"$user2",[SecureString] $pass2)
    
    TestExample -ExampleCred1 $Credential1 -ExampleCred2 $Credential2 -output "C:\Temp" -ConfigurationData $configData
    
    
  • #67794

    Don Jones
    Keymaster

    No, that's the only way without getting into a third party key vault. That's what you're wanting; it just ain't built into Windows.

You must be logged in to reply to this topic.