Using Start-DscConfiguration with CredSSP

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Joel Newton Joel Newton 2 years ago.

  • Author
    Posts
  • #20640
    Profile photo of Joel Newton
    Joel Newton
    Member

    Hi,

    (I apologize if this has already been addressed. I did search the forum for this info, but couldn't find the answer.)

    I have a DSC configuration that contains a script resource which pulls data from a database. I have configured Cred-SSP on the initiating server and the recipient server, and tested that I can create a remote session from the initiator to the recipient and then execute the script that accesses the database.

    However, calling Start-DscConfiguration for the config with the script resource fails. My thought is that I may need to create a new CIM session for the server/node that's receiving the dsc config and have that CIM session use CredSSP. However, I haven't been able to create a new CIM session with CredSSP. I get:

    New-CimSession : Failed to set destination option for transport.
    Transport: WMIDCOM
    Destination option: __MI_DESTINATIONOPTIONS_DESTINATION_CREDENTIALS

    #1) Am I going about this the right way – trying to use a CredSSP CIM session to apply and test the DSC config?
    #2) If so, what might I be missing when trying to create the CredSSP CIM session?

    Thanks,
    Joel

  • #20651
    Profile photo of Don Jones
    Don Jones
    Keymaster

    #1, no, I'm not sure this is the right thing to do. I'm maybe not understanding what you're trying to do, actually. You're just trying to kick off the LCM and force a configuration run? I'd probably just send the necessary commands to the computer via Invoke-Command, and let those commands run locally.

    But, the LCM is what's running the config, and it runs under System, which isn't a delegate-able account, so CredSSP doesn't enter into that.

  • #20668
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    There's a similar discussion happening in this thread: https://powershell.org/forums/topic/dsc-script-resource-and-alternate-credentials/ .

  • #20689
    Profile photo of Joel Newton
    Joel Newton
    Member

    Thanks, Don and Dave. That makes sense – to have Start-DSCConfig and Test-DSCConfig be invoked on the remote computer, since the LCM runs as System.
    Since I'm doing my development on a PS mgmt box, and the Start-DSCConfiguration and Test-DSCConfiguraiton functions has the option to test a local MOF against a remote server, I was trying that, and failing when the config needed to do a hop to another server.

    Cheers,
    Joel

You must be logged in to reply to this topic.