DSC Encrypting multiple Credentials

DSC
1

Hi Everyone,

I have successfully encrypted my first set of credentials within a DSC configuration using a Certificate. I needed to encrypt the credentials for a service account running an App Pool. But I have 12 different App Pools running on a single machine in one environment. Times this by 4(or more) and now I have 48 credentials that I must encrypt.

What are your recommendations on encrypting multiple Credentials in one DSC configuration? Can you provide an example?

xWebAppPool Example
{
Name = “ExampleAppPool”
State = “Started”
identityType = “SpecificUser”
Credential = $ExampleCredential
}

2

You’d do it the same way you did the first one ;). Any PSCredential object will be encrypted during MOF creation, provided you have a certificate set up, which you do. You only need the one certificate to actually DO the encryption, so this shouldn’t be any more difficult than doing one credential.

3

Hi Don,

I understand. I forgot to mention one critical piece of information here. Sorry about that. I am trying to pass the PSCredential’s to the DSC configuration but they are either coming up Empty or it still prompts me for a password.

However, this approach seems odd to me because I would have 30-50+ user accounts/passwords to pass-through depending on the environment because our Application Pools run under specific domain user accounts. I would think there is an easier way. Any suggestions?

$configData = @{
    AllNodes = @{
                    Node = "TestMachine.rb.local"
                    CertificateFile = "C:\PublicKeys\TestMachine.cer"
                    Thumbprint = "309r80w93809384089jhhehe3h3k3h3k"
    }
}

Configuration TestExample 
{
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred1,
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred2
    )

    Node "TestMachine.rb.local"
    {

        File Example 
        {
            DestinationPath = "C:\somePath"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred1
        }

        File Example 
        {
            DestinationPath = "C:\somePath"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred2
        }
    }
}

$user1 = "domain\user"
$pass1 = ConvertTo-secureString "password1" -AsPlainText -Force
$Credential1 = New-object System.Management.Automation.PSCredential([string]"$user1",[SecureString] $pass1)

$user2 = "domain\user"
$pass2 = ConvertTo-secureString "password2" -AsPlainText -Force
$Credential2 = New-object System.Management.Automation.PSCredential([string]"$user2",[SecureString] $pass2)

TestExample -ExampleCred1 "$Credential1" -ExampleCred2 "Credential2" -output "C:\Temp" -ConfigurationData $configData
4

Hi again Don,

So I finally got it to work. However I still think there is a better way to pass in domain creds then to secure each cred into a variable and pass it in. Anyhow the reason why I was getting blank credentials was because when I was executing the DSC configuration to create the .mof it was not detecting my parameters. It was until I moved the Import-DSCResource line from above the param statement to below the param statement. That seems strange to me. I provided my code below.

Still instead of me writing out each Service account user/pass and passing them in, do you know of a better approach?

Full DSC Configuration:


$configData = `
@{
    AllNodes = @(
                    @{
                    NodeName = "TestMachine.rb.local"
                    CertificateFile = "C:\PublicKeys\TestMachine.cer"
                    Thumbprint = "aidjf;adijf;alsdkjf;aidhf;asih"  ##Intentionally overwritten
                    PSDSCAllowDomainUser = $true
                    }

                    @{
                    NodeName = "*"
                    }
                );
}

Configuration TestExample 
{
   
Import-DscResource –ModuleName 'PSDesiredStateConfiguration' ##Original location but I moved it below.
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred1,
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PsCredential] $ExampleCred2
    )
    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'

    Node ($AllNodes).NodeName
    {

        File Example1 
        {
            DestinationPath = "C:\Path1"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred1
        }

        File Example2 
        {
            DestinationPath = "C:\Path2"
            SourcePath = "C:\NewPath"
            Credential = $ExampleCred2
        }
    }
}

$user1 = "domain\user"
$pass1 = ConvertTo-secureString "password1" -AsPlainText -Force
$Credential1 = New-object System.Management.Automation.PSCredential([string]"$user1",[SecureString] $pass1)

$user2 = "domain\user"
$pass2 = ConvertTo-secureString "password2" -AsPlainText -Force
$Credential2 = New-object System.Management.Automation.PSCredential([string]"$user2",[SecureString] $pass2)

TestExample -ExampleCred1 $Credential1 -ExampleCred2 $Credential2 -output "C:\Temp" -ConfigurationData $configData
5

No, that’s the only way without getting into a third party key vault. That’s what you’re wanting; it just ain’t built into Windows.