3

My end goal is to configure AdcsCertificationAuthority on a Server 2016 Server using Ansible.

- name: Install ADCS with sub features and management tools
  win_feature:
    name: Adcs-Cert-Authority
    state: present
    include_management_tools: yes
  register: win_feature

- name: reboot if installing Adcs-Cert-Authority feature requires it
  win_reboot:
  when: win_feature.reboot_required

- name: Add ActiveDirectoryCSDsc
  win_psmodule:
    name: ActiveDirectoryCSDsc
    state: present

- name: Configure AdcsCertificationAuthority Powershell DSC
  win_dsc:
    resource_name: AdcsCertificationAuthority
    IsSingleInstance: 'Yes'
    CAType: 'EnterpriseRootCA'
    CryptoProviderName: 'RSA#Microsoft Software Key Storage Provider'
    KeyLength: 2048
    HashAlgorithmName: 'SHA256'
    ValidityPeriod: 'Years'
    ValidityPeriodUnits: 99
    PsDscRunAsCredential_username: ' {{ ansible_user }}'
    PsDscRunAsCredentual_password: '{{ ansible_password }}'

The DSC portion fails, but I am not sure how to determine where the error is coming from, and what it means.

TASK [internal/qa_env_dc : Configure AdcsCertificationAuthority Powershell DSC] *************************************************************************************************************************************************************
fatal: [10.0.136.5]: FAILED! => {"changed": false, "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running command \r\nstopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Cannot bind \r\nargument to parameter 'String' because it is null.\"\"\r\nAt line:65 char:5\r\n+     $output = $entrypoint.Run($payload)\r\n+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}

Im essentially trying to re-create what I have been doing directly with powershell.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 99 -Credential $mycreds -Force:$true

My ansible_user and ansible_password are for the Domain Administrator account, so I believe my permissions should be OK.

The github repo for the DSC module im using doesnt really pertain to ansible directly, so there isnt anything there that would help but it is where Im getting the parameters.

https://github.com/PowerShell/ActiveDirectoryCSDsc

Im also attempting to copy my deployment from the ansible examples.

https://docs.ansible.com/ansible/2.5/modules/win_dsc_module.html

Justin Seiser
  • 359
  • 1
  • 3
  • 13

1 Answers1

4

Ansible will not help you in this situation, unfortunately.

The best way to go is to debug the DSC part separately, with the same parameters. In this case, it kind of sucks because this is a big ask. If it succeeds, you're going to have your CA set up. If you can, deploy a test environment that you can keep tearing down and bringing up, for sanity's sake.

If you're lucky you'll find the problem in the Test method that doesn't change anything.

First step, go onto the host that you are running win_dsc against. Open PowerShell.

Create a [hashtable] that contains all of the parameters to your DSC module, so something like this:

if (-not $cred) {
    $cred = Get-Credential # maybe just run this once in your session?
}

$params = @{
    IsSingleInstance = $true
    CAType = 'EnterpriseRootCA'
    CryptoProviderName = 'RSA#Microsoft Software Key Storage Provider'
    KeyLength = 2048
    HashAlgorithmName = 'SHA256'
    ValidityPeriod = 'Years'
    ValidityPeriodUnits = 99
    PsDscRunAsCredential = $cred
}

Next, invoke the DSC resource directly, let's use the Test method:

Invoke-DscResource -Name AdcsCertificationAuthority -ModuleName ActiveDirectoryCSDsc -Property $params -Verbose -Method Test

See what it spits out. It will probably fail with a similar error. Hope that it does. If it doesn't, try the Get method in case Set uses it but Test doesn't. It's unlikely, but you want to avoid Set if possible.

If all that runs smoothly, run with method Set. If it succeeds, go back to ansible and figure out what's different (does the user ansible is authenticating as have permission to invoke DSC?).

If you get a failure at any point and want to dig deeper, you can debug the actual DSC invocation. It's a little convoluted.

First, Enable-DscDebug -BreakAll.

Next, open a separate PowerShell ISE window (this is my preference, makes things easier). Then, re-run the Invoke-DscResource command you did before, in the same original window (not the new ISE window).

It will break, and it will give you a series of commands to run to connect to the debug session. The list will include Enter-PSHostProcess. Run those commands in the terminal in the ISE window.

You'll be entered into the running DSC process, and you will see the source code of the module and be able to step through it and figure out what's going wrong.

At this point, you may find that a parameter you passed is not quite right, and that you can fix the invocation by tweaking it. That's good.

You may find there's a bug in the module, in which case you can report it or even offer a fix with a pull request; this will take time.

In the meantime, you can clone the module yourself and distribute it to your servers with a quick fix that wouldn't meet the requirements for a PR.

There's a lot of possibilities here but if you find the actual error it may warrant a new question as to how to deal with that specific problem.

Notes

I've found that during the debug process, about half the time connecting to the session leads to a complete stuck debug session that doesn't work. In that case, use the PID they gave you and kill the process. You may have to do this between runs anyway, don't be afraid of it.

And finally, before attempting to use DSC again (like from Ansible), don't forget to disable debugging!

Disable-DscDebug

(strongly encourage you to kill the process after disabling the debugging as well)

briantist
  • 45,546
  • 6
  • 82
  • 127