The Local Configuration Manager is not configured with a certificate.

This topic contains 5 replies, has 5 voices, and was last updated by Profile photo of nathan Driscoll nathan Driscoll 4 months, 3 weeks ago.

  • Author
    Posts
  • #46180
    Profile photo of Nathan Driscoll
    Nathan Driscoll
    Participant

    Hey guys,

    on push and pull models i'm having a issue with encryption. when the configuration runs i receive the following error
    The Local Configuration Manager is not configured with a certificate Or decryption failed. I have followed microsoft guide to create the certificate with the certificate created on the target node and export the public key to the authoring node. I have created the certificate from ADCS 2012r2 PKI.

    The guest is server 2012r2

    I have tried to move the "certificateid" from ConfigurationRepositoryWeb to settings on the LCM no difference.

    In event viewer i can the below event

    
    event id 4257
    
    Job {B5C48003-44EA-11E6-80EB-001DD8B75749} : 
    MIResult: 6
    Error Message: The Local Configuration Manager is not configured with a certificate. Resource '[File]exampleFile' in configuration 'CredentialEncryptionExample' cannot be processed.
    Message ID: MI RESULT 6
    Error Category: 13
    Error Code: 6
    Error Type: MI
    
    PS C:\Windows\system32> $PSVersionTable
    
    Name                           Value                                                                                                                                                                                            
    ----                           -----                                                                                                                                                                                            
    PSVersion                      5.0.10586.117                                                                                                                                                                                    
    PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                          
    BuildVersion                   10.0.10586.117                                                                                                                                                                                   
    CLRVersion                     4.0.30319.34014                                                                                                                                                                                  
    WSManStackVersion              3.0                                                                                                                                                                                              
    PSRemotingProtocolVersion      2.3                                                                                                                                                                                              
    SerializationVersion           1.1.0.1           
    

    The below configuration is just testing to see if it was a error in my real configuration

    
    $ConfigData= @{ 
        AllNodes = @(     
                @{  
                    NodeName = "TPKI01" 
                    CertificateFile = "C:\temp\TPKI01.cer" 
                    Thumbprint = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
                }; 
            );    
        }
    configuration CredentialEncryptionExample 
    { 
        param( 
            [Parameter(Mandatory=$true)] 
            [ValidateNotNullorEmpty()] 
            [PsCredential] $credential 
            ) 
    
        Node $AllNodes.NodeName 
        { 
            File exampleFile 
            { 
                SourcePath = "\\TPKI01\D$\PKI\ING_IntCA1+.crl"
                DestinationPath = "C:\temp\" 
                Credential = $credential 
            } 
              LocalConfigurationManager {
                CertificateID = $node.Thumbprint
        
            }
        } 
    }
    Write-Host "Generate DSC Configuration..."
    CredentialEncryptionExample -ConfigurationData $ConfigData -OutputPath \\sofs\dsc\AU\Configuration
    
    $nodes = 'TPKI01'
    Write-Verbose  (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
    foreach  ($item in $nodes) {
    
        [DSCLocalConfigurationManager()]
        configuration PullClientConfigID
        {
            Node $item
            {
                Settings
                {
                    RefreshMode = 'Pull'
                    RefreshFrequencyMins = 30 
                    RebootNodeIfNeeded = $True
                    DebugMode = 'ALL'
                    AllowModuleOverWrite = $false
                    #CertificateID = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
                
                }
       
                ConfigurationRepositoryWeb PullSrv
                {
                    ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
                    RegistrationKey = 'd7d29e47-FFFF-402b-9553-d331713d96bc'
                    AllowUnsecureConnection = $false
                    CertificateID = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
                    ConfigurationNames = @("$item")
                }
            
                ReportServerWeb PullSrv
                {
                     ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
                     RegistrationKey = 'd7d29e47-1a46-402b-9553-d331713d96bc'
                }
              
            }
    }
    
        PullClientConfigID -verbose
      
       Set-DSCLocalConfigurationManager –Path .\PullClientConfigID –Verbose -force -ComputerName $item
    }
    
    

    Target node LCM

    ActionAfterReboot              : ContinueConfiguration
    AgentId                        : 21631C66-1A6C-11E6-80E6-001DD8B75749
    AllowModuleOverWrite           : False
    CertificateID                  : 
    ConfigurationDownloadManagers  : {[ConfigurationRepositoryWeb]PullSrv}
    ConfigurationID                : 
    ConfigurationMode              : ApplyAndMonitor
    ConfigurationModeFrequencyMins : 15
    Credential                     : 
    DebugMode                      : {All}
    DownloadManagerCustomData      : 
    DownloadManagerName            : 
    LCMCompatibleVersions          : {1.0, 2.0}
    LCMState                       : PendingConfiguration
    LCMStateDetail                 : 
    LCMVersion                     : 2.0
    StatusRetentionTimeInDays      : 10
    PartialConfigurations          : 
    RebootNodeIfNeeded             : True
    RefreshFrequencyMins           : 30
    RefreshMode                    : Pull
    ReportManagers                 : {[ReportServerWeb]PullSrv}
    ResourceModuleManagers         : {}
    PSComputerName                 : TPKI01
    PSComputerName                 : TPKI01
    
    
    ResourceId              : [ConfigurationRepositoryWeb]PullSrv
    SourceInfo              : ::53::13::ConfigurationRepositoryWeb
    AllowUnsecureConnection : True
    CertificateID           : 
    ConfigurationNames      : {TPKI01}
    RegistrationKey         : 
    ServerURL               : https://DSC:8080/PSDSCPullServer.svc
    PSComputerName          : TPKI01
    
    
    /*
    @TargetNode='TPKI01'
    @GeneratedBy=user
    @GenerationDate=07/08/2016 18:46:03
    @GenerationHost=DSCPULL01
    */
    
    instance of MSFT_Credential as $MSFT_Credential1ref
    {
    Password = "-----BEGIN CMS-----\nMIIB/wYJKoZIhvcNAQcDoIIB8DCCAewCAQAxggGnMIIBowIBADCBijBzMQswCQYDVQQGEwJBVTEM\nMAoGA1UECAwDTlNXMR0wGwYDVQQKDBRJTkcgRGlyZWN0IEF1c3RyYWxpYTELMAkGA1UECwwCSVQx\nKjAoBgNVBAMMIUlORy1EaXJlY3QtQXVzdHJhbGlhLVByb2QtSU5ULUNBMgITdAAAAeG7VkqFfNZu\nggAAAAAB4TANBgkqhkiG9w0BAQcwAASCAQBUbc/ApWnYfUOfCCrOOkTKD7S5pnjBx1LSNFvjVDeE\nGvR1hfRzaXh9fGxLcw+IXqN1tkTf0CuxWXBOwhrrXIHbwBo42e9x0AqFnIdhZyGPtwoAURcnTayD\nIkzh3r7GuDGCmAYJm7wOAWv26tWxtZwbdvHmt2LOBLDUPcV2RcYZSSD3Z2s621XmIaH/CuvcdRBV\nOQAX97+ii9EmadPfUjAzD7pAwhQPcTXslqXTYh07lIsTbyfgQ6VScwIwSWY5PjapUvqQ1lZUnKzG\n4oNcAWLEzrqyNi5pBsLibri7BcYeeFUrnBjLa6JJGRjnyPoNigscLFbea2/SDAELXS6YhkUYMDwG\nCSqGSIb3DQEHATAdBglghkgBZQMEASoEEHNtWNix1eW4RPL4MlwHA+yAELUb41h4PxO6mktT5ruf\ntW0=\n-----END CMS-----";
     UserName = "corp\\svc_dsc";
    
    };
    
    instance of MSFT_FileDirectoryConfiguration as $MSFT_FileDirectoryConfiguration1ref
    {
    ResourceID = "[File]exampleFile";
     Credential = $MSFT_Credential1ref;
     DestinationPath = "C:\\temp\\";
     ModuleName = "PSDesiredStateConfiguration";
     SourceInfo = "::21::9::File";
     SourcePath = "\\\\tpki01\\D$\\PKI\\ING_IntCA1+.crl";
    
    ModuleVersion = "1.0";
    
     ConfigurationName = "CredentialEncryptionExample";
    
    };
    instance of OMI_ConfigurationDocument
    
    
                        {
     Version="2.0.0";
     
    
                            MinimumCompatibleVersion = "1.0.0";
     
    
                            CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
     
    
                            Author="user";
     
    
                            GenerationDate="07/08/2016 18:46:03";
     
    
                            GenerationHost="DSCPULL01";
    
    
                            ContentType="PasswordEncrypted";
     
    
                            Name="CredentialEncryptionExample";
    
    
                        };
    
    

    certificate on the pullserver/authoring node

    
    
    tpki01.corp.intranet}                                                  {Document Encryption (1.3.6.1.4.1.311.80.1)}             6/07/2018 3:05:11 PM           False System.Security.Cryptography.Oid CN=tpki01..
    

    any ideas?

    Regards

    Nathan

  • #46253
    Profile photo of Jason Helmick
    Jason Helmick
    Keymaster

    Hey Nathan! There are a lot of things that can cause this, but let's start at the beginning. What type of certificate did you issue and did you add Document Encryption to the certificate before issuing?

    Cheers!

  • #46362
    Profile photo of Kyle Berger
    Kyle Berger
    Participant

    @Jason

    tpki01.corp.intranet} {Document Encryption (1.3.6.1.4.1.311.80.1)}

    Isn't this only for PSv4?

    LocalConfigurationManager {
        CertificateID = $node.Thumbprint
    }

    Also, I don't know if the following will work from withing $ConfigData, either. The example in the documentation is done differently.

    Thumbprint = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint

    Won't all of that run locally? And it won't know what $item is, because it hasn't been set yet.

    Basically, I'm worried some parts are being implemented from Cert generated on Authoring node, and others from Cert generated on Client node.

    Sadly the documentation is very confusing: https://msdn.microsoft.com/en-us/powershell/dsc/securemof

  • #46378
    Profile photo of Nathan Driscoll
    Nathan Driscoll
    Participant

    Hey Jason!

    thanks for taking a look at my messy post.

    I believe i duplicated my web server certificate template. But i did do the following to the template before issuing:
    1. Removed Client and Server Authentication and added Document Encryption.
    2. Removed Digitial Signature from key usage.
    3. Allow Key Exchange only with key encryption (key Encipherment) and Allow encryption of user data.
    4. Provider Category is Key Storage Provider – RSA – 2048 Bits – request hash of SHA256

    Regards

    Nathan

  • #46411
    Profile photo of Missy Januszko
    Missy Januszko
    Participant

    Change the provider to Microsoft RSA SChannel Cryptographic Provider and put the certificate on the CertificateID on the LCM, not the certificate ID on the ConfigRepositoryWeb.

    See: https://msdn.microsoft.com/en-us/powershell/dsc/securemof
    Good luck!

  • #46455
    Profile photo of nathan Driscoll
    nathan Driscoll
    Participant

    Hey Missy,

    That did the trick! Thanks for your help.

    Regards

    Nathan

You must be logged in to reply to this topic.