Get-ADObject with Credentials in DSC resource SSPI errors

Welcome Forums DSC (Desired State Configuration) Get-ADObject with Credentials in DSC resource SSPI errors

This topic contains 5 replies, has 2 voices, and was last updated by

 
Participant
3 years, 3 months ago.

  • Author
    Posts
  • #27828

    Participant
    Points: 0
    Rank: Member

    My DSC target is in a forest "TEST" that has a one-way trust with "PROD" forest.

    $Credential = Get-Credential PROD\USER
    Get-ADObject -Filter {SamAccountName -eq 'TARGET'} -Server TEST -Credential $Credential

    If I run this from within PowerShell on the system as a user in the TEST forest it works. I even tried PSEXEC to launch as a SYSTEM process and it works. When DSC tries to do this it errors with:

    A call to SSPI failed, see inner exception. —>
    No credentials are available in the security package

    Any thoughts on what the problem could be or the difference of a DSC configuration process vs running locally or as SYSTEM?

  • #27831

    Keymaster
    Points: 2
    Rank: Member

    Huh. Not sure I've ever tried that.

    I guess maybe I'm not understanding – do you have a DSC resource running Get-Credential? How is it that you're having DSC use an alternate credential for that query?

  • #27852

    Participant
    Points: 0
    Rank: Member

    Sorry that was my example script. The actual DSC resource takes the typical PSCredential property. Also just for kicks I created the same user in the TEST domain as the PROD one and tried to use those creds with Get-ADObject and I keep getting SSPI errors. I verified the password is good via runas, also the user is a local admin on the DSC target. Something of interest, I get access denied trying to use the runas command from a psexec SYSTEM command prompt, never tried that honestly but I don't see why it wouldn't work from there if it worked from a normal command prompt.

  • #27853

    Keymaster
    Points: 2
    Rank: Member

    Ok. So, a few troubleshooting cases then.

    Have you checked to see if this works when accessing the same domain the machine belongs to?

    Have you tried this with a non-AD scenario that also involves a credential? I'm thinking the problem could be specific to the AD commands.

  • #27854

    Participant
    Points: 0
    Rank: Member

    I did try to use a user that is in the same domain as the machine, this produces the same error. I'll swap it over to System.DirectoryServices.AccountManagement to validate the credentials and let you know.

  • #27868

    Participant
    Points: 0
    Rank: Member

    Well, it looks like DSC isn't decrypting the encrypted password in MOF, that would explain why it can't authenticate. Anyway I was able to drop my need for the Get-ADObject by converting it to System.DirectoryServices.AccountManagement, so I'll take that as a win.

The topic ‘Get-ADObject with Credentials in DSC resource SSPI errors’ is closed to new replies.