Question:
I have the following Desired State Configuration (DSC)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
Configuration Cert { param ( [Parameter(Mandatory=$true)] [ValidateNotNullorEmpty()] [System.String] $machineName, [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [PSCredential] $certCredential ) Import-DscResource -ModuleName xPSDesiredStateConfiguration, xCertificate Node $machineName { xPfxImport cert { Ensure = 'Present' Path = 'C:\certificate.pfx' Thumbprint = 'abcdefg' Location = 'LocalMachine' Store = 'My' Exportable = $true Credential = $certCredential } } } $cd = @{ AllNodes = @( @{ NodeName = 'localhost' PSDscAllowPlainTextPassword = $true } ) |
}
|
1 2 3 4 5 6 7 |
$secpasswd = ConvertTo-SecureString 'password' -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ('x', $secpasswd) Cert -machineName MyPC -certCredential $mycreds -ConfigurationData $cd Start-DscConfiguration –Path .\Cert –Wait –Verbose -Force |
When I try to execute this I get the following error:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property ‘Credential’ OF TYPE ‘xPfxImport’:
Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in
MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Users\x\Desktop\script.ps1:18 char:9
+ xPfxImport
At line:341 char:16
+ $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Compilation errors occurred while processing configuration ‘Cert’. Please review the errors reported in error stream and
modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917
char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Cert:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
I realize that the password must be encrypted and saving it as plain is not allowed or at least not recommended. I have tried many things suggested in the internet and I am still not able to make this working properly.
I am looking for a way to install a certificate and give certain set certificate permissions after that.
Answer:
You need to allow for plaintextcredentials (link)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
Configuration DomainCredentialExample { param( [PSCredential]$DomainCredential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Node $AllNodes.NodeName { Group DomainUserToLocalGroup { GroupName = 'InfoSecBackDoor' MembersToInclude = 'contoso\notyouraccount' Credential = $DomainCredential } } } $cd = @{ AllNodes = @( @{ NodeName="localhost" PSDscAllowPlainTextPassword=$true } ) } $cred = Get-Credential -UserName contoso\genericuser -Message "Password please" DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd |