Author Posts

August 11, 2015 at 8:15 am

We are security tightening up scripts at the moment. Who has built a successful example of using Certificates and Thumbprint instead of using the notoriously bad PSDscAllowPlainTextPassword Attribute using PowerShell 4.0.

Configuration ExampleConfig
{
    param(
			 [string]	$myUserName 
		    ,[string]	$myFullName
            ,[PSCredential]	$myPassword
        )

	Node $AllNodes.where{ $_.Role.Contains("myrole") }.NodeName
	{
        User MyUser
        {
            UserName = $myUserName
            Ensure = "Present"
            FullName = $myFullName
            Password = $myPassword
        }

        LocalConfigurationManager 
        { 
             CertificateId = $node.Thumbprint 
        } 
	}
}

# cut the first half that declared the parameters and values

$ConfigData = @{
    AllNodes = @(
        @{ 
            NodeName = "10.0.0.5"
			myUserName = $userName
		    myFullName = $userName
            myPassword = $userCreds
            Role="myrole"
            CertificateFile ="C:\GSPS-Source\Certificates\sfb-thm-tenant.local.cer" 
            Thumbprint= "‎F6E950F331F06EE605D804DB4811fB647B697668"
        }
)}

$sn_mofPath = "C:\MOF"
ExampleConfig -ConfigurationData $ConfigData -myUserName $userName -myPassword $userCreds -myFullName $userName `
                  -OutputPath $sn_mofPath

Set-DscLocalConfigurationManager -ComputerName "10.0.0.5" `
              -Path $sn_mofPath `
              -Credential $creds

Start-DscConfiguration -Verbose -Wait -Force `
              -ComputerName "10.0.0.5" `
              -Path $sn_mofPath `
              -Credential $creds

I followed the following procedure: http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx and I am getting the following output.

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
 MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SFB-THM-TOR with user sid S-1-5-21-2948782706-3721813811-4249131776-500.
VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Set      ]
VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Resource ]  [[User]MyUser]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4
    + PSComputerName        : 10.0.0.5
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.383 seconds

Additional Information: The mof files are encrypend, the certificate is a self signed certificate on the target machine that I have exported to the local machine I run the scripts from. (so private key is on the target machine).

This is the script that I used to create the Self signed cert:
https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6

Any help apreciated

August 12, 2015 at 5:52 am

I've done this successfully numerous times, but not using a self-signed certificate.

August 19, 2015 at 10:13 pm

I've used SS certs before with no issue; I tested your code quickly and all seemed ok; I'm assuming that when you use

PSDSCAllowPlainTextPassword = $true

that the DSC runs fine?