Partial Configurations & Encrypted Credentials

Welcome Forums DSC (Desired State Configuration) Partial Configurations & Encrypted Credentials

This topic contains 7 replies, has 4 voices, and was last updated by

 
Participant
10 months, 3 weeks ago.

  • Author
    Posts
  • #84965

    Participant
    Points: 1
    Rank: Member

    Hi All,

    Was hoping someone could steer me in the right direction. I'm hoping to to utilise partial configurations to firstly deploy a base set of features to the server (first partial configuration), and then deploy and configure AD Domain Services (with the second configuration).

    The LCM code to configure the target server looks like this (the code below is used in a test environment, so nothing sensitive...)

    
    [DSCLocalConfigurationManager()]
    
    Configuration PullClientConfig
    
    {
        Node localhost
    
        {
            Settings
    
            {
                RefreshMode = 'Pull'
                RefreshFrequencyMins = 30
                RebootNodeIfNeeded = $true            
                CertificateID = ("12fd261ead620b8cb558263180f6ee3200cdcc20").ToUpper()
            }
    
            ConfigurationRepositoryWeb PullSrv
    
            {
                ServerURL = 'https://config.testing.id.au:8080/PSDSCPullServer.svc'
                RegistrationKey = '252b8bef-2c38-4f66-b7d8-682136763da4'
                ConfigurationNames = @('BaseConfig','NewADDSDomain')
                CertificateID = ("12fd261ead620b8cb558263180f6ee3200cdcc20").ToUpper()            
            }
    
            PartialConfiguration BaseConfig {
    
                ConfigurationSource = '[ConfigurationRepositoryWeb]PullSrv'
    
            }
    
            PartialConfiguration NewADDSDomain {
    
                ConfigurationSource = '[ConfigurationRepositoryWeb]PullSrv'
                DependsOn = '[PartialConfiguration]BaseConfig'
    
            }
    
        }
    
    }
    
    PullClientConfig
    
    Set-DscLocalConfigurationManager -Path ".\PullClientConfig" -Verbose
    Update-DscConfiguration -Wait -Verbose
    
    

    When i run this, the server attempts to configure itself, but eventually fails with an error message of "Verification of prerequisites for Domain Controller promotion failed. The Directory Services Restore Mode password exceeds the maximum
    password length requirement of the password policy".

    This leads me to believe that the encrypted credentials in the MOF file are not getting decrypted properly (as the encrypted string is quite long). I've tried the following things to resolve it:
    * Removing the partial configuration blocks and just running the NewADDSDomain portion of the config by itself (which works perfectely on its own)
    * Placing the CertificateID parameter in various places in the configuration

    The BaseConfig configuration does not contain any credentials and is not encrypted with the certificate. Is there a trick to using partial configurations when not all of your configurations require encryption/decryption at the target node?

  • #84989

    Participant
    Points: 0
    Rank: Member

    Before getting in to the details, may I ask why the use of partial configurations in this scenario?

  • #85028

    Participant
    Points: 1
    Rank: Member

    Hi Michael,

    I'm just trying to familiarise myself with the concept at the moment, i'd like to be able split the configuration documents into smaller pieces. In this scenario, every server managed by DSC would get configured with a base set of components and features (BaseConfig), and then depending on the servers role (in this case, a new domain controller), a configuration document specific to that role would then configure the rest of the features/services as required.

  • #90599

    Participant
    Points: 0
    Rank: Member

    Hi,

    I just encountered something similar. I have two partial configurations, the first one joins a member server to the domain with some base windows config and the second config does some web server related configuration. However, with the second partial config present it always fails on joining the machine to the domain with the following:

    Computer 'EC2AMAZ-B0FFA8R' failed to join domain 'blah.local' from its current workgroup 'WORKGROUP' with following error message: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history 
    requirements of the domain.

    If I remove the second partial config or just throw it all in to the one config it all works no issue.

    • #90662

      Participant
      Points: 0
      Rank: Member

      Why not use a single config?

  • #91820

    Participant
    Points: 0
    Rank: Member

    I came across a very similar issue using partials.

    In my scenario I have upwards of 5 partials that are applied. All partials referenced by the LCM Configuration had to have encrypted credentials stored within each partial configuration. This seems bizarre to me. I have opened a Microsoft Case on this.

    Example 1 Fails:

    Partial 1: Uses Encrypted Credential in MOF
    Partial 2: Uses Encrypted Credential in MOF
    Partial 3: Uses Encrypted Credential in MOF
    Partial 4: Uses Encrypted Credential in MOF
    Partial 5: No Stored Credential in MOF

    Example 2 Succeeds:

    Partial 1: Uses Encrypted Credential in MOF
    Partial 2: Uses Encrypted Credential in MOF
    Partial 3: Uses Encrypted Credential in MOF
    Partial 4: Uses Encrypted Credential in MOF
    Partial 5: Uses Encrypted Credential in MOF (In my test I added a needless PsDscRunAsCredential to one of the config blocks)

    The weirdest part of this failure from Example 1:
    The first place that required credential decryption caused the exception. In my use case, adding Partial 5 caused an exception in Partial 1 when decrypting creds. However the error wasn't about credential decryption from the LCM. The error was access denied. It seems like the LCM decrypted the credentials but could not use them correctly.

    I will follow up when/if I get a formal Microsoft opinion on this.

    • #91915

      Participant
      Points: 1
      Rank: Member

      I never ended up getting a resolution to this, other things took priority and I haven't had a chance to revisit.

      I'd be very interested hearing the feedback you receive from Microsoft.

  • #92243

    Participant
    Points: 0
    Rank: Member

    So I got a response from Microsoft on the issue that I identified in my earlier post. It is a known issue in WMF 5.1:

    From Microsoft:
    'The mitigation is to name any one of the partial configurations that contains encrypted credentials, such that it is the partial configuration name is the first one that comes in alphabetical order compared to other partial configuration's name.'

    Further Explanation from Microsoft:
    'Every DSC document (.mof file) contains information about if passwords in that document is encrypted. In partial configuration scenario there are many DSC documents (one for each partion configuration) and each document contains information about itself.
    When DSC has all the documents available, the way DSC processes these documents is that it is only using the first document to determine if passwords should be encrypted or not ignoring the rest of the documents. The way DSC determines first document is based on the result of 'dir' on folder C:\windows\system32\configuration\partialconfiguration, the first entry in the results translates to first document'

    More reason not to use partials 🙂

The topic ‘Partial Configurations & Encrypted Credentials’ is closed to new replies.