4

I have the following Desired State Configuration (DSC)

Configuration Cert
{
    param (
        [Parameter(Mandatory=$true)] 
        [ValidateNotNullorEmpty()] 
        [System.String] $machineName,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullorEmpty()]
        [PSCredential]
        $certCredential
    )

    Import-DscResource -ModuleName xPSDesiredStateConfiguration, xCertificate

    Node $machineName 
    {
        xPfxImport cert
        {
            Ensure = 'Present'
            Path = 'C:\certificate.pfx'
            Thumbprint = 'abcdefg'
            Location = 'LocalMachine'
            Store = 'My'
            Exportable = $true
            Credential = $certCredential
        }
    } 
}  
$cd = @{
    AllNodes = @(
    @{
        NodeName = 'localhost'
        PSDscAllowPlainTextPassword = $true
    }
)

}

$secpasswd = ConvertTo-SecureString 'password' -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('x', $secpasswd)

Cert -machineName MyPC -certCredential $mycreds -ConfigurationData $cd

Start-DscConfiguration –Path .\Cert –Wait –Verbose -Force

When I try to execute this I get the following error:

ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'Credential' OF TYPE 'xPfxImport': Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 At C:\Users\x\Desktop\script.ps1:18 char:9 + xPfxImport At line:341 char:16 + $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException + FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance Compilation errors occurred while processing configuration 'Cert'. Please review the errors reported in error stream and modify your configuration code appropriately. At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5 + throw $ErrorRecord + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Cert:String) [], InvalidOperationException + FullyQualifiedErrorId : FailToProcessConfiguration

I realize that the password must be encrypted and saving it as plain is not allowed or at least not recommended. I have tried many things suggested in the internet and I am still not able to make this working properly.

I am looking for a way to install a certificate and give certain set certificate permissions after that.

mynkow
  • 4,408
  • 4
  • 38
  • 65
  • Actually it is on a new line, I have problems with the formatting at stackoverflow – mynkow Mar 28 '17 at 20:16
  • Probably not => The term 'PSDscAllowPlainTextPassword' is not recognized as the name of a cmdlet – mynkow Mar 28 '17 at 20:25
  • 1
    try this `$cd` (check updated answer) or change to nodename to reflect your nodename `MyPC` – 4c74356b41 Mar 28 '17 at 20:27
  • 1
    Thank you. The last comment led me to the real problem. I did not realize that the nodename is actually what causing the issue. Please change `node localhost` line (8) to `Node $AllNodes.NodeName` and `NodeName="*"` back to `NodeName="localhost"` – mynkow Mar 28 '17 at 20:34

2 Answers2

5

You need to allow for plaintextcredentials (link)

Configuration DomainCredentialExample
{
param(
    [PSCredential]$DomainCredential
)
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node $AllNodes.NodeName
    {
        Group DomainUserToLocalGroup
        {
            GroupName        = 'InfoSecBackDoor'
            MembersToInclude = 'contoso\notyouraccount'
            Credential       = $DomainCredential
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName="localhost"
            PSDscAllowPlainTextPassword=$true
        }
    )
}

$cred = Get-Credential -UserName contoso\genericuser -Message "Password please"
DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • 1
    This was the first thing I have tried. I still get the same error. – mynkow Mar 28 '17 at 20:02
  • well, you obviously haven't tried properly, that's how it works, are you sure you did this exactly: `DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd` – 4c74356b41 Mar 28 '17 at 20:03
  • I know this is out of scope of this question but do you have any idea how to give read permissions of that certificate for the `Network Service` user => https://gyazo.com/a32d78823d117306593cba6b613f8489 – mynkow Mar 28 '17 at 20:38
  • never tried doing that, but something like this would help http://www.tomsitpro.com/articles/change-file-system-permissions-dsc-powershell,2-1095.html – 4c74356b41 Mar 28 '17 at 20:43
  • This solution works, but don't gloss over the "PSDscAllowPlainTextPassword = $true" line in $cd. – StormRider01 Jan 31 '23 at 22:27
5

Having found myself facing the same issue, and I just thought I would re-iterate the actual cause of the issue (which is actually tucked away in the comments):

The last comment led me to the real problem. I did not realize that the nodename is actually what causing the issue. Please change node localhost line (8) to Node $AllNodes.NodeName and NodeName="*" back to NodeName="localhost"

Picking through the framework code inside PSDesiredStateConfiguration.psm1, the PSDscAllowPlainTextPassword flag won't get seen unless $machineName = localhost (in our case it was actually a case of fully-qualified vs. non-fully-qualified machine names).

I did also stumble across an undocumented workaround (not that I necessarily recommend using it) - it is actually possible to turn off the check for plaintext credentials using the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\DSC]
"PSDscAllowPlainTextPassword"="True"
"PSDscAllowDomainUser"="True"

Hopefully this might save someone else some head-scratching!

AHowgego
  • 592
  • 6
  • 20