Can't change DSC LCM credential

Question

When attempting to access a network shared folder, DSC returns an "Access is denied" error, despite that I have provided a valid credential to it.

I'm using a DSC configuration, where a DSC "Script" resource is as follows:

Script myScriptResource {
        GetScript = {return $true}
        SetScript = {
            $setupShare = '\\SomeNetworkSharesFolder\subFolder'
            # This line produces valid results when run directly on node VM.
            $build = Get-ChildItem "FileSystem::$setupShare" -Name | Sort-Object -Descending | Select-Object -First 1 | Out-String
            Write-Host "Final Build: $build"
        }
        TestScript = {return $false} #Always run Set-Script block!
        Credential = $ValidNetworkShareCredential
        PsDscRunAsCredential = $ValidNetworkShareCredential
    }

I receive an error:

VERBOSE: [MyNodeVM]:                            [[Script]myScriptResource] Performing the operation "Set-TargetResource" on target "Executing t
he SetScript with the user supplied credential".
Access is denied
    + CategoryInfo          : PermissionDenied: (\\SomeNetworkSharesFolder\subFolder:) [], CimException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
    + PSComputerName        : myNodeVM

This might be due to the fact the LCM on the node VM is using a local SYSTEM user credential by default.

I attempted to change the user credential manually by navigating to the windows services manager (Hint: RUN then services.msc), and change the user credential in the logon tab of winRM service properties. Everytime I attempt to run the Windows Remote Management (WS-Managment) service, I receive and error:

Windows could not start the Windows Remote Management (WS-Management) service on Local Computer. Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

I don't know how to change the credential of LCM so that it can access the network shared folder upon the execution of Get-ChildItem.

Which version of PowerShell (DSC)? Changing the LCM credential is supported in v5. — briantist, Mar 22 '16 at 17:56

score 1 · Answer 1 · answered Mar 25 '16 at 19:51

Script myScriptResource {
    GetScript = {return $true}
    SetScript = {
        $username ="someusername"
        $secpasswd = ConvertTo-SecureString “somepassword” -AsPlainText -Force
        $mycreds = New-Object System.Management.Automation.PSCredential ($username, $secpasswd)
        $setupShare = '\\SomeNetworkSharesFolder\subFolder'
        $psDriveArgs = @{ Name = ([guid]::NewGuid()); PSProvider = "FileSystem"; Root = $setupShare; Scope = "Private"; Credential = $mycreds }
        new-psdrive @psDriveArgs -ErrorAction Stop
        # This line produces valid results when run directly on node VM.
        $build = Get-ChildItem "FileSystem::$setupShare"  | Sort-Object -Descending | Select-Object -First 1 | Out-String
        Write-Host "Final Build: $build"
    }
    TestScript = {return $false} #Always run Set-Script block!
}

I don't think it's a good idea to pass my password in the .mof file in plain text. — Samer, Mar 28 '16 at 15:26
No it is not ( i mentioned in my last comment, due to size constrained i couldn't put this along with my last comment), that's why xFileUpload is using certificates to encrypt the credential. — N.Gupta, Mar 28 '16 at 20:32

score 0 · Answer 2 · answered Mar 22 '16 at 19:26

0

There isn't an easy way to make it work with script resource because you need an ability to pass credentials to the script resource so that you can mount a drive and use it to copy/paste. If you want to copy files/directory from the share you can use 'File' resource. If you want to copy files/directory to the share you can use 'xFileUpload' resource from xPsDesiredStateConfiguration (https://gallery.technet.microsoft.com/xPSDesiredStateConfiguratio-417dc71d) Module. If you really need to use script resource to do this job, look into how xFileUpload resource is doing it.

answered Mar 22 '16 at 19:26

N.Gupta

326
1
5

I was able to use the 'File' resource to perform copy tasks from the same network shares without errors. However, the full 'Script' resource gets a list of subdirectories, which are multiple build folders named alphanumerically, and it chooses the latest build folder to copy its content. This operation cannot be done using the 'File' resource. – Samer Mar 22 '16 at 20:02
I think it is best to modify xFileUpload resource (which internally is using script resource and passing credentials securely) to suit your need. – N.Gupta Mar 22 '16 at 20:46
It doesn't help! I spent a whole day trying the workaround which you advised. It requires a thumbprint and I'm not using a certificate in my DSC framework. I mean, the source code of the Script resource must be similar to what's in the xUploadFile module, or else why does the Script resource accept credential parameters if it won't be using them to execute the script!!! – Samer Mar 24 '16 at 16:10
If you were using plainTextPassword for your original script (not recommended), use only plaintext password in xFileUpload. – N.Gupta Mar 25 '16 at 19:28
If you were using plainTextPassword for your original script (not recommended), use only plaintext password in xFileUpload. You need an ability to explicitly mount a drive using supplied credential in your script resource (not via Credential property of script resource). That is what xUploadFile is doing. Other way to make it work with your sample is to pass username,password (you have to worry about securing them though) and use them to create new-psdrive and then you will be able to access it. Example in the next comment. – N.Gupta Mar 25 '16 at 19:47
xFileUpload, uses encryption to pass the password encrypted to the .mof file, then it uses decryption statements in the SetScript code block to create the credentials securely on the node VM before using them. This doesn't resolve my initial question about changing the credential attribute of the node server LCM but offers a workaround that proved to be not functional without server certificates in place. Server certificates should not be necessary when using a SMB share or even an Http pull-server implementation. A Server certificate is necessary when implementing an https pull-server. – Samer Mar 28 '16 at 15:41
Script resource is like a wildcard in general which doesn't turned out to be true in this case as it doesn't provide direct access to credentials. The better approach is to use a custom resource and provide explicit credential property for that resource which you will have access to and then can mount the drive and use it. In order to protect the credential you would use same approach you are using in your above sample ( relying on certificate, not server certificate, to protect your credentials). – N.Gupta Mar 28 '16 at 20:55
So, let's make this clear; are you saying that there is NO way we can setup the credential attribute of the LCM? – Samer Mar 28 '16 at 21:58

Can't change DSC LCM credential

2 Answers2