Author Posts

July 8, 2016 at 9:20 am

Hey guys,

on push and pull models i'm having a issue with encryption. when the configuration runs i receive the following error
The Local Configuration Manager is not configured with a certificate Or decryption failed. I have followed microsoft guide to create the certificate with the certificate created on the target node and export the public key to the authoring node. I have created the certificate from ADCS 2012r2 PKI.

The guest is server 2012r2

I have tried to move the "certificateid" from ConfigurationRepositoryWeb to settings on the LCM no difference.

In event viewer i can the below event


event id 4257

Job {B5C48003-44EA-11E6-80EB-001DD8B75749} : 
MIResult: 6
Error Message: The Local Configuration Manager is not configured with a certificate. Resource '[File]exampleFile' in configuration 'CredentialEncryptionExample' cannot be processed.
Message ID: MI RESULT 6
Error Category: 13
Error Code: 6
Error Type: MI
PS C:\Windows\system32> $PSVersionTable

Name                           Value                                                                                                                                                                                            
----                           -----                                                                                                                                                                                            
PSVersion                      5.0.10586.117                                                                                                                                                                                    
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                          
BuildVersion                   10.0.10586.117                                                                                                                                                                                   
CLRVersion                     4.0.30319.34014                                                                                                                                                                                  
WSManStackVersion              3.0                                                                                                                                                                                              
PSRemotingProtocolVersion      2.3                                                                                                                                                                                              
SerializationVersion           1.1.0.1           

The below configuration is just testing to see if it was a error in my real configuration


$ConfigData= @{ 
    AllNodes = @(     
            @{  
                NodeName = "TPKI01" 
                CertificateFile = "C:\temp\TPKI01.cer" 
                Thumbprint = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
            }; 
        );    
    }
configuration CredentialEncryptionExample 
{ 
    param( 
        [Parameter(Mandatory=$true)] 
        [ValidateNotNullorEmpty()] 
        [PsCredential] $credential 
        ) 

    Node $AllNodes.NodeName 
    { 
        File exampleFile 
        { 
            SourcePath = "\\TPKI01\D$\PKI\ING_IntCA1+.crl"
            DestinationPath = "C:\temp\" 
            Credential = $credential 
        } 
          LocalConfigurationManager {
            CertificateID = $node.Thumbprint
    
        }
    } 
}
Write-Host "Generate DSC Configuration..."
CredentialEncryptionExample -ConfigurationData $ConfigData -OutputPath \\sofs\dsc\AU\Configuration

$nodes = 'TPKI01'
Write-Verbose  (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
foreach  ($item in $nodes) {

    [DSCLocalConfigurationManager()]
    configuration PullClientConfigID
    {
        Node $item
        {
            Settings
            {
                RefreshMode = 'Pull'
                RefreshFrequencyMins = 30 
                RebootNodeIfNeeded = $True
                DebugMode = 'ALL'
                AllowModuleOverWrite = $false
                #CertificateID = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
            
            }
   
            ConfigurationRepositoryWeb PullSrv
            {
                ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
                RegistrationKey = 'd7d29e47-FFFF-402b-9553-d331713d96bc'
                AllowUnsecureConnection = $false
                CertificateID = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
                ConfigurationNames = @("$item")
            }
        
            ReportServerWeb PullSrv
            {
                 ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
                 RegistrationKey = 'd7d29e47-1a46-402b-9553-d331713d96bc'
            }
          
        }
}

    PullClientConfigID -verbose
  
   Set-DSCLocalConfigurationManager –Path .\PullClientConfigID –Verbose -force -ComputerName $item
}

Target node LCM

ActionAfterReboot              : ContinueConfiguration
AgentId                        : 21631C66-1A6C-11E6-80E6-001DD8B75749
AllowModuleOverWrite           : False
CertificateID                  : 
ConfigurationDownloadManagers  : {[ConfigurationRepositoryWeb]PullSrv}
ConfigurationID                : 
ConfigurationMode              : ApplyAndMonitor
ConfigurationModeFrequencyMins : 15
Credential                     : 
DebugMode                      : {All}
DownloadManagerCustomData      : 
DownloadManagerName            : 
LCMCompatibleVersions          : {1.0, 2.0}
LCMState                       : PendingConfiguration
LCMStateDetail                 : 
LCMVersion                     : 2.0
StatusRetentionTimeInDays      : 10
PartialConfigurations          : 
RebootNodeIfNeeded             : True
RefreshFrequencyMins           : 30
RefreshMode                    : Pull
ReportManagers                 : {[ReportServerWeb]PullSrv}
ResourceModuleManagers         : {}
PSComputerName                 : TPKI01
PSComputerName                 : TPKI01


ResourceId              : [ConfigurationRepositoryWeb]PullSrv
SourceInfo              : ::53::13::ConfigurationRepositoryWeb
AllowUnsecureConnection : True
CertificateID           : 
ConfigurationNames      : {TPKI01}
RegistrationKey         : 
ServerURL               : https://DSC:8080/PSDSCPullServer.svc
PSComputerName          : TPKI01

/*
@TargetNode='TPKI01'
@GeneratedBy=user
@GenerationDate=07/08/2016 18:46:03
@GenerationHost=DSCPULL01
*/

instance of MSFT_Credential as $MSFT_Credential1ref
{
Password = "-----BEGIN CMS-----\nMIIB/wYJKoZIhvcNAQcDoIIB8DCCAewCAQAxggGnMIIBowIBADCBijBzMQswCQYDVQQGEwJBVTEM\nMAoGA1UECAwDTlNXMR0wGwYDVQQKDBRJTkcgRGlyZWN0IEF1c3RyYWxpYTELMAkGA1UECwwCSVQx\nKjAoBgNVBAMMIUlORy1EaXJlY3QtQXVzdHJhbGlhLVByb2QtSU5ULUNBMgITdAAAAeG7VkqFfNZu\nggAAAAAB4TANBgkqhkiG9w0BAQcwAASCAQBUbc/ApWnYfUOfCCrOOkTKD7S5pnjBx1LSNFvjVDeE\nGvR1hfRzaXh9fGxLcw+IXqN1tkTf0CuxWXBOwhrrXIHbwBo42e9x0AqFnIdhZyGPtwoAURcnTayD\nIkzh3r7GuDGCmAYJm7wOAWv26tWxtZwbdvHmt2LOBLDUPcV2RcYZSSD3Z2s621XmIaH/CuvcdRBV\nOQAX97+ii9EmadPfUjAzD7pAwhQPcTXslqXTYh07lIsTbyfgQ6VScwIwSWY5PjapUvqQ1lZUnKzG\n4oNcAWLEzrqyNi5pBsLibri7BcYeeFUrnBjLa6JJGRjnyPoNigscLFbea2/SDAELXS6YhkUYMDwG\nCSqGSIb3DQEHATAdBglghkgBZQMEASoEEHNtWNix1eW4RPL4MlwHA+yAELUb41h4PxO6mktT5ruf\ntW0=\n-----END CMS-----";
 UserName = "corp\\svc_dsc";

};

instance of MSFT_FileDirectoryConfiguration as $MSFT_FileDirectoryConfiguration1ref
{
ResourceID = "[File]exampleFile";
 Credential = $MSFT_Credential1ref;
 DestinationPath = "C:\\temp\\";
 ModuleName = "PSDesiredStateConfiguration";
 SourceInfo = "::21::9::File";
 SourcePath = "\\\\tpki01\\D$\\PKI\\ING_IntCA1+.crl";

ModuleVersion = "1.0";

 ConfigurationName = "CredentialEncryptionExample";

};
instance of OMI_ConfigurationDocument


                    {
 Version="2.0.0";
 

                        MinimumCompatibleVersion = "1.0.0";
 

                        CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
 

                        Author="user";
 

                        GenerationDate="07/08/2016 18:46:03";
 

                        GenerationHost="DSCPULL01";


                        ContentType="PasswordEncrypted";
 

                        Name="CredentialEncryptionExample";


                    };

certificate on the pullserver/authoring node



tpki01.corp.intranet}                                                  {Document Encryption (1.3.6.1.4.1.311.80.1)}             6/07/2018 3:05:11 PM           False System.Security.Cryptography.Oid CN=tpki01..

any ideas?

Regards

Nathan

July 8, 2016 at 2:01 pm

Hey Nathan! There are a lot of things that can cause this, but let's start at the beginning. What type of certificate did you issue and did you add Document Encryption to the certificate before issuing?

Cheers!

July 8, 2016 at 8:42 pm

@jason

tpki01.corp.intranet} {Document Encryption (1.3.6.1.4.1.311.80.1)}

Isn't this only for PSv4?

LocalConfigurationManager {
    CertificateID = $node.Thumbprint
}

Also, I don't know if the following will work from withing $ConfigData, either. The example in the documentation is done differently.

Thumbprint = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint

Won't all of that run locally? And it won't know what $item is, because it hasn't been set yet.

Basically, I'm worried some parts are being implemented from Cert generated on Authoring node, and others from Cert generated on Client node.

Sadly the documentation is very confusing: https://msdn.microsoft.com/en-us/powershell/dsc/securemof

July 9, 2016 at 4:06 am

Hey Jason!

thanks for taking a look at my messy post.

I believe i duplicated my web server certificate template. But i did do the following to the template before issuing:
1. Removed Client and Server Authentication and added Document Encryption.
2. Removed Digitial Signature from key usage.
3. Allow Key Exchange only with key encryption (key Encipherment) and Allow encryption of user data.
4. Provider Category is Key Storage Provider – RSA – 2048 Bits – request hash of SHA256

Regards

Nathan

July 9, 2016 at 6:02 pm

Change the provider to Microsoft RSA SChannel Cryptographic Provider and put the certificate on the CertificateID on the LCM, not the certificate ID on the ConfigRepositoryWeb.

See: https://msdn.microsoft.com/en-us/powershell/dsc/securemof
Good luck!

July 11, 2016 at 10:51 am

Hey Missy,

That did the trick! Thanks for your help.

Regards

Nathan