Group Resource encrypted credentials issue

This topic contains 8 replies, has 4 voices, and was last updated by  edmondtang 1 year, 8 months ago.

  • Author
    Posts
  • #15068

    GLibA
    Participant

    Im having issues with the Group Resource and domain user accounts. It seems to only work if i use the PSDscAllowPlainTextPassword=$true variable when passing in the credentials. If i use the CertificateFile variable in the configuration data pointed to a cert that's installed on the target node i get the error below. Has anyone gotten the Group Resource to work with encrypted credentials?

    The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational.
    Refer to this channel for more details.
    + CategoryInfo : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName : localhost

    EventLog:

    Job {DF4B4371-F349-440A-A50C-C57FFE37E6C3} :
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource provider. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "The user name or password is incorrect.
    ".

    $ConfigurationData=@{
    
    AllNodes = @(
     
       # All the Servers have the following identical information
           @{
                NodeName           = "*"
                CertificateFile = "c:\cert.cer"            
           },
    
           @{
                NodeName           = "localhost"
            }     
        );
    
    }
    
    configuration AdminGroup
    {
    param(
        [PsCredential]$Credential
    )
        node $Allnodes.NodeName
            {
                Group Administrators
                {
                    GroupName   = "Administrators"
                    Credential  = $Credential 
                    Ensure      = "Present"
                    Members     = "Administrator","Lab\account1","lab\account2"
                }
            }
    }
    
    AdminGroup -ConfigurationData $ConfigurationData -OutputPath c:\AdminGroup -Credential (Get-Credential)
    
    Start-DscConfiguration -Path C:\AdminGroup -Wait -Verbose -force -WhatIf
    
  • #15069

    Don Jones
    Keymaster

    Almost looks like a bug in the resource. Do we have a version of that in the community repo?

  • #15070

    GLibA
    Participant

    I was unable to find a comparable one in the repo.

  • #15071

    Dave Wyatt
    Moderator

    I haven't tested this functionality yet myself, but looking at this PowerShell blog post, they have some extra bits that are missing from your configuration. (Specifically, the thumbprint in configurationData, the LocalConfigurationManager resource setting CertificateId to that thumbprint, and the call to Set-DscLocalConfigurationManager on the target node to configure the LCM using those options. The certificate must also be installed, with its private key, on the target node(s).)

    Have you already performed these steps, separately from what you've posted here?

  • #15083

    GLibA
    Participant

    Ah silly me, i feel like an idiot. I'm trying to do a quick test using push and i forgot all about the LCM CertificateId. That's exactly what the issue was

    Thanks DAVE!

  • #15087

    Don Jones
    Keymaster

    Do a favor and bug that in Connect.Microsoft.com anyway. The resource should provide a more meaningful error message when you do what you did. It's not doing input validation.

  • #15104

    GLibA
    Participant
  • #33094

    edmondtang
    Participant

    Having the same issue. Took the OP's code change the nodename, members and included the CertificateId. Confirmed the machine that builds the mof had the same certificate/thumbprint as the server. We even generated the mof and started DSC on the target server, but we still get this error:

    Job {03F26B40-A4F7-11E5-80D9-005056BE26AD} :
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource DSC resource. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "The user name or password is incorrect.
    ".

    How can we determine what username and password combination DSC tried to use?

  • #33120

    edmondtang
    Participant

    Forgot to call Set-DscLocalConfigurationManager.

You must be logged in to reply to this topic.