How to get rid of PSDscAllowPlainTextPassword (PS 4)

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of James Baker James Baker 1 year, 11 months ago.

  • Author
    Posts
  • #28417
    Profile photo of Thomas Mehl
    Thomas Mehl
    Participant

    We are security tightening up scripts at the moment. Who has built a successful example of using Certificates and Thumbprint instead of using the notoriously bad PSDscAllowPlainTextPassword Attribute using PowerShell 4.0.

    Configuration ExampleConfig
    {
        param(
    			 [string]	$myUserName 
    		    ,[string]	$myFullName
                ,[PSCredential]	$myPassword
            )
    
    	Node $AllNodes.where{ $_.Role.Contains("myrole") }.NodeName
    	{
            User MyUser
            {
                UserName = $myUserName
                Ensure = "Present"
                FullName = $myFullName
                Password = $myPassword
            }
    
            LocalConfigurationManager 
            { 
                 CertificateId = $node.Thumbprint 
            } 
    	}
    }
    
    # cut the first half that declared the parameters and values
    
    $ConfigData = @{
        AllNodes = @(
            @{ 
                NodeName = "10.0.0.5"
    			myUserName = $userName
    		    myFullName = $userName
                myPassword = $userCreds
                Role="myrole"
                CertificateFile ="C:\GSPS-Source\Certificates\sfb-thm-tenant.local.cer" 
                Thumbprint= "‎F6E950F331F06EE605D804DB4811fB647B697668"
            }
    )}
    
    $sn_mofPath = "C:\MOF"
    ExampleConfig -ConfigurationData $ConfigData -myUserName $userName -myPassword $userCreds -myFullName $userName `
                      -OutputPath $sn_mofPath
    
    Set-DscLocalConfigurationManager -ComputerName "10.0.0.5" `
                  -Path $sn_mofPath `
                  -Credential $creds
    
    Start-DscConfiguration -Verbose -Wait -Force `
                  -ComputerName "10.0.0.5" `
                  -Path $sn_mofPath `
                  -Credential $creds
    
    

    I followed the following procedure: http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx and I am getting the following output.

    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer SFB-THM-TOR with user sid S-1-5-21-2948782706-3721813811-4249131776-500.
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Set      ]
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Resource ]  [[User]MyUser]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        : 10.0.0.5
     
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.383 seconds
    

    Additional Information: The mof files are encrypend, the certificate is a self signed certificate on the target machine that I have exported to the local machine I run the scripts from. (so private key is on the target machine).

    This is the script that I used to create the Self signed cert:
    https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6

    Any help apreciated

  • #28487
    Profile photo of Don Jones
    Don Jones
    Keymaster

    I've done this successfully numerous times, but not using a self-signed certificate.

  • #28793
    Profile photo of James Baker
    James Baker
    Participant

    I've used SS certs before with no issue; I tested your code quickly and all seemed ok; I'm assuming that when you use

    PSDSCAllowPlainTextPassword = $true

    that the DSC runs fine?

You must be logged in to reply to this topic.