WMF 5.1 breaks Password Decryption

This topic contains 5 replies, has 2 voices, and was last updated by  Fabrizio Zavalloni 5 months, 4 weeks ago.

  • Author
    Posts
  • #71449

    Fabrizio Zavalloni
    Participant

    Hello,

    I have deployed DSC with WMF 5.0 with password encryption. I followed this post https://msdn.microsoft.com/en-us/powershell/dsc/securemof

    All my machines are working well, however I am trying to deploy new servers with WMF 5.1, but when I apply the configuration it does not decrypt the password.

    If I remove the WMF 5.1, the decryption works like a charm.

    I did not find anything that has changed of WMF 5.0 RTM to WMF 5.1 regarding password encryption. All my servers that are working is using the follow PsVersion.

    $PSVersionTable.PSVersion

    Major Minor Build Revision
    —– —– —– ——–
    5 0 10586 117

    I have also doubled checked my certificate, but it was issued as Document Encryption (1.3.6.1.4.1.311.80.1) and the Key Usage contains either Data Encipherment or Key Encipherment.

    Did anyone get this issue with WMF 5.1?

    Tks

  • #71500

    Jason Helmick
    Keymaster

    Hello! That is the correct documentation. There was a change from 5.0 to 5.1 back in the beta days. The certificate requirements changed. I have done this a lot using that documentation and it works. Check the certificate requirement section. Can you verify you have created a certificate with those requirements?

  • #71503

    Fabrizio Zavalloni
    Participant

    Hi Jason,

    Tks for your answear.

    Do you mean that I can not use certificate with "Data Encipherment" or "Key Encipherment" Key usage, and "Document Encryption Enhanced Key usage (1.3.6.1.4.1.311.80.1)". Because I built the certificate following this documentations and I was working until the upgrade to version 5.1.

    Is this article https://blogs.msdn.microsoft.com/powershell/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration says I have to use workstation authentication template.

    What kind of certificate I have to use now?

  • #71582

    Fabrizio Zavalloni
    Participant

    I tried to create another certificate for Client Authentication, Server Authentication purposes, but I try to create the mof files I get this error below.

    ConvertTo-MOFInstance : System.ArgumentException error processing property 'Password' OF TYPE 'MSFT_Credential': Certificate '2579163BCD9BBB1BD69F7863265B235C713DA2A1'
    cannot be used for encryption. Encryption certificates must contain the Data Encipherment or Key Encipherment key usage, and include the Document Encryption Enhanced
    Key Usage (1.3.6.1.4.1.311.80.1).

  • #71584

    Fabrizio Zavalloni
    Participant

    Even creating others certificates It does not work.

    I give up!!

    I have done the same test of this https://rkeithhill.wordpress.com/2015/01/08/powershell-v5-new-feature-protectunprotect-cmsmessage/

    Using the cmdlet Protect-CmsMessage | UnProtect-CmsMessage and It worked.

    For me, this is a bug from WMF 5.1.

  • #71587

    Fabrizio Zavalloni
    Participant

    The only workaround that worked for me I had to change my resource inserting the code below

    #Retrieve the password
    $clearTextPassword = $credential.GetNetworkCredential().Password | Unprotect-CmsMessage
    $SecurePassword = $clearTextPassword | ConvertTo-SecureString -AsPlainText -Force
    #Retrieve the username
    $userAdmin = "{0}\{1}" -f $credential.GetNetworkCredential().Domain,$credential.GetNetworkCredential().UserName

    #Creating the new credential and replacing in the rest of the code
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $credential.UserName, $SecurePassword

You must be logged in to reply to this topic.