How to get rid of PSDscAllowPlainTextPassword (PS 4)

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of James Baker James Baker 1 year, 2 months ago.

  • Author
  • #28417
    Profile photo of Thomas Mehl
    Thomas Mehl

    We are security tightening up scripts at the moment. Who has built a successful example of using Certificates and Thumbprint instead of using the notoriously bad PSDscAllowPlainTextPassword Attribute using PowerShell 4.0.

    Configuration ExampleConfig
    			 [string]	$myUserName 
    		    ,[string]	$myFullName
                ,[PSCredential]	$myPassword
    	Node $AllNodes.where{ $_.Role.Contains("myrole") }.NodeName
            User MyUser
                UserName = $myUserName
                Ensure = "Present"
                FullName = $myFullName
                Password = $myPassword
                 CertificateId = $node.Thumbprint 
    # cut the first half that declared the parameters and values
    $ConfigData = @{
        AllNodes = @(
                NodeName = ""
    			myUserName = $userName
    		    myFullName = $userName
                myPassword = $userCreds
                CertificateFile ="C:\GSPS-Source\Certificates\sfb-thm-tenant.local.cer" 
                Thumbprint= "‎F6E950F331F06EE605D804DB4811fB647B697668"
    $sn_mofPath = "C:\MOF"
    ExampleConfig -ConfigurationData $ConfigData -myUserName $userName -myPassword $userCreds -myFullName $userName `
                      -OutputPath $sn_mofPath
    Set-DscLocalConfigurationManager -ComputerName "" `
                  -Path $sn_mofPath `
                  -Credential $creds
    Start-DscConfiguration -Verbose -Wait -Force `
                  -ComputerName "" `
                  -Path $sn_mofPath `
                  -Credential $creds

    I followed the following procedure: and I am getting the following output.

    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' =
     MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer SFB-THM-TOR with user sid S-1-5-21-2948782706-3721813811-4249131776-500.
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Set      ]
    VERBOSE: [SFB-THM-TENANT]: LCM:  [ Start  Resource ]  [[User]MyUser]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        :
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 0.383 seconds

    Additional Information: The mof files are encrypend, the certificate is a self signed certificate on the target machine that I have exported to the local machine I run the scripts from. (so private key is on the target machine).

    This is the script that I used to create the Self signed cert:

    Any help apreciated

  • #28487
    Profile photo of Don Jones
    Don Jones

    I've done this successfully numerous times, but not using a self-signed certificate.

  • #28793
    Profile photo of James Baker
    James Baker

    I've used SS certs before with no issue; I tested your code quickly and all seemed ok; I'm assuming that when you use

    PSDSCAllowPlainTextPassword = $true

    that the DSC runs fine?

You must be logged in to reply to this topic.