Get-ADObject with Credentials in DSC resource SSPI errors

This topic contains 5 replies, has 2 voices, and was last updated by Profile photo of Adam Weigert Adam Weigert 1 year, 5 months ago.

  • Author
    Posts
  • #27828
    Profile photo of Adam Weigert
    Adam Weigert
    Participant

    My DSC target is in a forest "TEST" that has a one-way trust with "PROD" forest.

    $Credential = Get-Credential PROD\USER
    Get-ADObject -Filter {SamAccountName -eq 'TARGET'} -Server TEST -Credential $Credential

    If I run this from within PowerShell on the system as a user in the TEST forest it works. I even tried PSEXEC to launch as a SYSTEM process and it works. When DSC tries to do this it errors with:

    A call to SSPI failed, see inner exception. —>
    No credentials are available in the security package

    Any thoughts on what the problem could be or the difference of a DSC configuration process vs running locally or as SYSTEM?

  • #27831
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Huh. Not sure I've ever tried that.

    I guess maybe I'm not understanding – do you have a DSC resource running Get-Credential? How is it that you're having DSC use an alternate credential for that query?

  • #27852
    Profile photo of Adam Weigert
    Adam Weigert
    Participant

    Sorry that was my example script. The actual DSC resource takes the typical PSCredential property. Also just for kicks I created the same user in the TEST domain as the PROD one and tried to use those creds with Get-ADObject and I keep getting SSPI errors. I verified the password is good via runas, also the user is a local admin on the DSC target. Something of interest, I get access denied trying to use the runas command from a psexec SYSTEM command prompt, never tried that honestly but I don't see why it wouldn't work from there if it worked from a normal command prompt.

  • #27853
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Ok. So, a few troubleshooting cases then.

    Have you checked to see if this works when accessing the same domain the machine belongs to?

    Have you tried this with a non-AD scenario that also involves a credential? I'm thinking the problem could be specific to the AD commands.

  • #27854
    Profile photo of Adam Weigert
    Adam Weigert
    Participant

    I did try to use a user that is in the same domain as the machine, this produces the same error. I'll swap it over to System.DirectoryServices.AccountManagement to validate the credentials and let you know.

  • #27868
    Profile photo of Adam Weigert
    Adam Weigert
    Participant

    Well, it looks like DSC isn't decrypting the encrypted password in MOF, that would explain why it can't authenticate. Anyway I was able to drop my need for the Get-ADObject by converting it to System.DirectoryServices.AccountManagement, so I'll take that as a win.

You must be logged in to reply to this topic.