How to get rid of PSDscAllowPlainTextPassword (PS 4)

Welcome Forums DSC (Desired State Configuration) How to get rid of PSDscAllowPlainTextPassword (PS 4)

This topic contains 2 replies, has 3 voices, and was last updated by

 
Participant
3 years, 7 months ago.

  • Author
    Posts
  • #28417

    Participant
    Points: 0
    Rank: Member

    We are security tightening up scripts at the moment. Who has built a successful example of using Certificates and Thumbprint instead of using the notoriously bad PSDscAllowPlainTextPassword Attribute using PowerShell 4.0.

    Configuration ExampleConfig
    {
        param(
    			 [string]	$myUserName 
    		    ,[string]	$myFullName
                ,[PSCredential]	$myPassword
            )
    
    	Node $AllNodes.where{ $_.Role.Contains("myrole") }.NodeName
    	{
            User MyUser
            {
                UserName = $myUserName
                Ensure = "Present"
                FullName = $myFullName
                Password = $myPassword
            }
    
            LocalConfigurationManager 
            { 
                 CertificateId = $node.Thumbprint 
            } 
    	}
    }
    
    # cut the first half that declared the parameters and values
    
    $ConfigData = @{
        AllNodes = @(
            @{ 
                NodeName = "10.0.0.5"
    			myUserName = $userName
    		    myFullName = $userName
                myPassword = $userCreds
                Role="myrole"
                CertificateFile ="C:\GSPS-Source\Certificates\sfb-thm-tenant.local.cer" 
                Thumbprint= "‎F6E950F331F06EE605D804DB4811fB647B697668"
            }
    )}
    
    $sn_mofPath = "C:\MOF"
    ExampleConfig -ConfigurationData $ConfigData -myUserName $userName -myPassword $userCreds -myFullName $userName `
                      -OutputPath $sn_mofPath
    
    Set-DscLocalConfigurationManager -ComputerName "10.0.0.5" `
                  -Path $sn_mofPath `
                  -Credential $creds
    
    Start-DscConfiguration -Verbose -Wait -Force `
                  -ComputerName "10.0.0.5" `
                  -Path $sn_mofPath `
                  -Credential $creds
    
    

    I followed the following procedure: http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx and I am getting the following output.

    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer SFB-THM-TOR with user sid S-1-5-21-2948782706-3721813811-4249131776-500.
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Set      ]
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Resource ]  [[User]MyUser]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        : 10.0.0.5
     
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.383 seconds
    

    Additional Information: The mof files are encrypend, the certificate is a self signed certificate on the target machine that I have exported to the local machine I run the scripts from. (so private key is on the target machine).

    This is the script that I used to create the Self signed cert:
    https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6

    Any help apreciated

  • #28487

    Keymaster
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    I've done this successfully numerous times, but not using a self-signed certificate.

  • #28793

    Participant
    Points: 0
    Rank: Member

    I've used SS certs before with no issue; I tested your code quickly and all seemed ok; I'm assuming that when you use

    PSDSCAllowPlainTextPassword = $true

    that the DSC runs fine?

The topic ‘How to get rid of PSDscAllowPlainTextPassword (PS 4)’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort