Group Resource encrypted credentials issue

This topic contains 8 replies, has 4 voices, and was last updated by Profile photo of edmondtang edmondtang 1 year, 6 months ago.

  • Author
    Posts
  • #15068
    Profile photo of GLibA
    GLibA
    Participant

    Im having issues with the Group Resource and domain user accounts. It seems to only work if i use the PSDscAllowPlainTextPassword=$true variable when passing in the credentials. If i use the CertificateFile variable in the configuration data pointed to a cert that's installed on the target node i get the error below. Has anyone gotten the Group Resource to work with encrypted credentials?

    The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational.
    Refer to this channel for more details.
    + CategoryInfo : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName : localhost

    EventLog:

    Job {DF4B4371-F349-440A-A50C-C57FFE37E6C3} :
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource provider. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "The user name or password is incorrect.
    ".

    $ConfigurationData=@{
    
    AllNodes = @(
     
       # All the Servers have the following identical information
           @{
                NodeName           = "*"
                CertificateFile = "c:\cert.cer"            
           },
    
           @{
                NodeName           = "localhost"
            }     
        );
    
    }
    
    configuration AdminGroup
    {
    param(
        [PsCredential]$Credential
    )
        node $Allnodes.NodeName
            {
                Group Administrators
                {
                    GroupName   = "Administrators"
                    Credential  = $Credential 
                    Ensure      = "Present"
                    Members     = "Administrator","Lab\account1","lab\account2"
                }
            }
    }
    
    AdminGroup -ConfigurationData $ConfigurationData -OutputPath c:\AdminGroup -Credential (Get-Credential)
    
    Start-DscConfiguration -Path C:\AdminGroup -Wait -Verbose -force -WhatIf
    
  • #15069
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Almost looks like a bug in the resource. Do we have a version of that in the community repo?

  • #15070
    Profile photo of GLibA
    GLibA
    Participant

    I was unable to find a comparable one in the repo.

  • #15071
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    I haven't tested this functionality yet myself, but looking at this PowerShell blog post, they have some extra bits that are missing from your configuration. (Specifically, the thumbprint in configurationData, the LocalConfigurationManager resource setting CertificateId to that thumbprint, and the call to Set-DscLocalConfigurationManager on the target node to configure the LCM using those options. The certificate must also be installed, with its private key, on the target node(s).)

    Have you already performed these steps, separately from what you've posted here?

  • #15083
    Profile photo of GLibA
    GLibA
    Participant

    Ah silly me, i feel like an idiot. I'm trying to do a quick test using push and i forgot all about the LCM CertificateId. That's exactly what the issue was

    Thanks DAVE!

  • #15087
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Do a favor and bug that in Connect.Microsoft.com anyway. The resource should provide a more meaningful error message when you do what you did. It's not doing input validation.

  • #15104
    Profile photo of GLibA
    GLibA
    Participant
  • #33094
    Profile photo of edmondtang
    edmondtang
    Participant

    Having the same issue. Took the OP's code change the nodename, members and included the CertificateId. Confirmed the machine that builds the mof had the same certificate/thumbprint as the server. We even generated the mof and started DSC on the target server, but we still get this error:

    Job {03F26B40-A4F7-11E5-80D9-005056BE26AD} :
    This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource DSC resource. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling "FindByIdentity" with "2" argument(s): "The user name or password is incorrect.
    ".

    How can we determine what username and password combination DSC tried to use?

  • #33120
    Profile photo of edmondtang
    edmondtang
    Participant

    Forgot to call Set-DscLocalConfigurationManager.

You must be logged in to reply to this topic.