PowerShell DSC Credential Decryption Error

1
votes

I have created a Pull Server Configuration. The Pull Server, which is also being used to compile the MOF Files and the client are both Windows Server 2016, fully updated from the Azure Image.

I kept getting errors when passing in credentials. I therefore wrote a tiny custom DSC Resource that Displays the Password as clear txt when I run Start-DSCConfiguration -Wait -Verbose

You can find it here: https://gist.github.com/aboersch/65e846a4966fe2c4708ed21d655a54a7

The Client does not correctly decrypt the Credentials. As a Password I am receiving

-----BEGIN CMS-----
<Long Multi-Line Base64 String>
-----END CMS-----

If I pass this to Unprotect-CmsMessage I receive the correct Password.

The Certificate passes $.PrivateKey.KeyExchangeAlgorithm and $.Verify

I have tried changing the Certificate Provider to'"Microsoft Enhanced Cryptographic Provider v1.0"', '"Legacy Cryptographic Service Provider"', and '"Microsoft RSA SChannel Cryptographic Provider"'.

I have also tried xDSCUtils New-xSelfSignedDscEncryptionCertificate.

If I use the same certificates and compile and execute on the same server there are no problems.

I have already tried these: DSC problems with Credentials and build 10586 https://wespoint.wordpress.com/2017/01/19/powershell-dsc-encryption-issue/

Here are the cert properties:

EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList              : {ComputerFQDN}
SendAsTrustedIssuer      : False
Archived                 : False
EnhancedKeyUsage         : Document Encryption (1.3.6.1.4.1.311.80.1)
FriendlyName             : 
IssuerName               : 
NotAfter                 : 4/14/2018 1:09:37 PM
NotBefore                : 4/14/2017 1:09:37 PM
HasPrivateKey            : True
PrivateKey               : 
PublicKey                : RSA (2048 bits)
RawData                  : 
SerialNumber             : 19000000115FCB3C2E4C71BA69000000000011
SubjectName              : 
SignatureAlgorithm       : sha256RSA
Thumbprint               : F4238E74BFB238DEE89C78C13B5C2C8182674801
Version                  : 3
Handle                   : 1362382910512
Issuer                   : CA
Subject                  : CN=ComputerFQDN
1
powershelldsc
Do the clients have the necessary certificates installed for decryption?Nana Lakshmanan
How are you passing in credentials? Credentials and DSC are weird as I expect you know already.Jeff Patton
Thank you for your input. @NanaLakshmanan could you please tell me how to report this bug? UserVoice fails utterly (nothing is happening there) and the public GitHub repository for PowerShell told me that they are not responsible for DSC.aboersch

1 Answers

0
votes

The problem is mostly related to Partial Configurations and I believe it is a genuine Bug in WMF 5.1 on Windows Server 2016.

Essentially if you have partial configurations (push or pull doesn't matter), and one of the configuration functions does not contain a resource that has a credential, thus forcing the credential to be serialised using the certificate for the MOF, decryption will fail.

You can Reproduce it yourself on Windows Server 2016 or Windows 10 with WMF 5.1:

  1. Add a folder called DscTest to C:\Program Files\WindowsPowerShell\Modules and add the files from this gist to it.

  2. Execute this script. The first 2 will pass while the last one will fail.

The workaround is to include a resource (even if it is a dummy one) that uses a Credential for every partial configuration function. That is what the DscCredentialHole Resource in my Module from the first gist is for.