Group Resource encrypted credentials issue

Welcome Forums DSC (Desired State Configuration) Group Resource encrypted credentials issue

This topic contains 8 replies, has 4 voices, and was last updated by

 
Participant
2 years, 11 months ago.

  • Author
    Posts
  • #15068

    Participant
    Points: 0
    Rank: Member

    Im having issues with the Group Resource and domain user accounts. It seems to only work if i use the PSDscAllowPlainTextPassword=$true variable when passing in the credentials. If i use the CertificateFile variable in the configuration data pointed to a cert that's installed on the target node i get the error below. Has anyone gotten the Group Resource to work with encrypted credentials?

    The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational.
    Refer to this channel for more details.
    + CategoryInfo : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName : localhost

    EventLog:

    Job {DF4B4371-F349-440A-A50C-C57FFE37E6C3} :
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource provider. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "The user name or password is incorrect.
    ".

    $ConfigurationData=@{
    
    AllNodes = @(
     
       # All the Servers have the following identical information
           @{
                NodeName           = "*"
                CertificateFile = "c:\cert.cer"            
           },
    
           @{
                NodeName           = "localhost"
            }     
        );
    
    }
    
    configuration AdminGroup
    {
    param(
        [PsCredential]$Credential
    )
        node $Allnodes.NodeName
            {
                Group Administrators
                {
                    GroupName   = "Administrators"
                    Credential  = $Credential 
                    Ensure      = "Present"
                    Members     = "Administrator","Lab\account1","lab\account2"
                }
            }
    }
    
    AdminGroup -ConfigurationData $ConfigurationData -OutputPath c:\AdminGroup -Credential (Get-Credential)
    
    Start-DscConfiguration -Path C:\AdminGroup -Wait -Verbose -force -WhatIf
    
  • #15069

    Keymaster
    Points: 1,624
    Helping HandTeam Member
    Rank: Community Hero

    Almost looks like a bug in the resource. Do we have a version of that in the community repo?

  • #15070

    Participant
    Points: 0
    Rank: Member

    I was unable to find a comparable one in the repo.

  • #15071

    Member
    Points: 0
    Rank: Member

    I haven't tested this functionality yet myself, but looking at this PowerShell blog post, they have some extra bits that are missing from your configuration. (Specifically, the thumbprint in configurationData, the LocalConfigurationManager resource setting CertificateId to that thumbprint, and the call to Set-DscLocalConfigurationManager on the target node to configure the LCM using those options. The certificate must also be installed, with its private key, on the target node(s).)

    Have you already performed these steps, separately from what you've posted here?

  • #15083

    Participant
    Points: 0
    Rank: Member

    Ah silly me, i feel like an idiot. I'm trying to do a quick test using push and i forgot all about the LCM CertificateId. That's exactly what the issue was

    Thanks DAVE!

  • #15087

    Keymaster
    Points: 1,624
    Helping HandTeam Member
    Rank: Community Hero

    Do a favor and bug that in Connect.Microsoft.com anyway. The resource should provide a more meaningful error message when you do what you did. It's not doing input validation.

  • #15104

    Participant
    Points: 0
    Rank: Member
  • #33094

    Participant
    Points: 0
    Rank: Member

    Having the same issue. Took the OP's code change the nodename, members and included the CertificateId. Confirmed the machine that builds the mof had the same certificate/thumbprint as the server. We even generated the mof and started DSC on the target server, but we still get this error:

    Job {03F26B40-A4F7-11E5-80D9-005056BE26AD} :
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource DSC resource. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "The user name or password is incorrect.
    ".

    How can we determine what username and password combination DSC tried to use?

  • #33120

    Participant
    Points: 0
    Rank: Member

    Forgot to call Set-DscLocalConfigurationManager.

The topic ‘Group Resource encrypted credentials issue’ is closed to new replies.