How to get rid of PSDscAllowPlainTextPassword (PS 4)

Welcome Forums DSC (Desired State Configuration) How to get rid of PSDscAllowPlainTextPassword (PS 4)

This topic contains 2 replies, has 3 voices, and was last updated by

3 years, 7 months ago.

  • Author
  • #28417

    Points: 0
    Rank: Member

    We are security tightening up scripts at the moment. Who has built a successful example of using Certificates and Thumbprint instead of using the notoriously bad PSDscAllowPlainTextPassword Attribute using PowerShell 4.0.

    Configuration ExampleConfig
    			 [string]	$myUserName 
    		    ,[string]	$myFullName
                ,[PSCredential]	$myPassword
    	Node $AllNodes.where{ $_.Role.Contains("myrole") }.NodeName
            User MyUser
                UserName = $myUserName
                Ensure = "Present"
                FullName = $myFullName
                Password = $myPassword
                 CertificateId = $node.Thumbprint 
    # cut the first half that declared the parameters and values
    $ConfigData = @{
        AllNodes = @(
                NodeName = ""
    			myUserName = $userName
    		    myFullName = $userName
                myPassword = $userCreds
                CertificateFile ="C:\GSPS-Source\Certificates\sfb-thm-tenant.local.cer" 
                Thumbprint= "‎F6E950F331F06EE605D804DB4811fB647B697668"
    $sn_mofPath = "C:\MOF"
    ExampleConfig -ConfigurationData $ConfigData -myUserName $userName -myPassword $userCreds -myFullName $userName `
                      -OutputPath $sn_mofPath
    Set-DscLocalConfigurationManager -ComputerName "" `
                  -Path $sn_mofPath `
                  -Credential $creds
    Start-DscConfiguration -Verbose -Wait -Force `
                  -ComputerName "" `
                  -Path $sn_mofPath `
                  -Credential $creds

    I followed the following procedure: and I am getting the following output.

    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer SFB-THM-TOR with user sid S-1-5-21-2948782706-3721813811-4249131776-500.
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Set      ]
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Resource ]  [[User]MyUser]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        :
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.383 seconds

    Additional Information: The mof files are encrypend, the certificate is a self signed certificate on the target machine that I have exported to the local machine I run the scripts from. (so private key is on the target machine).

    This is the script that I used to create the Self signed cert:

    Any help apreciated

  • #28487

    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    I've done this successfully numerous times, but not using a self-signed certificate.

  • #28793

    Points: 0
    Rank: Member

    I've used SS certs before with no issue; I tested your code quickly and all seemed ok; I'm assuming that when you use

    PSDSCAllowPlainTextPassword = $true

    that the DSC runs fine?

The topic ‘How to get rid of PSDscAllowPlainTextPassword (PS 4)’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort