Get-ADObject with Credentials in DSC resource SSPI errors

My DSC target is in a forest “TEST” that has a one-way trust with “PROD” forest.

$Credential = Get-Credential PROD\USER
Get-ADObject -Filter {SamAccountName -eq 'TARGET'} -Server TEST -Credential $Credential

If I run this from within PowerShell on the system as a user in the TEST forest it works. I even tried PSEXEC to launch as a SYSTEM process and it works. When DSC tries to do this it errors with:

A call to SSPI failed, see inner exception. —>
No credentials are available in the security package

Any thoughts on what the problem could be or the difference of a DSC configuration process vs running locally or as SYSTEM?

Huh. Not sure I’ve ever tried that.

I guess maybe I’m not understanding - do you have a DSC resource running Get-Credential? How is it that you’re having DSC use an alternate credential for that query?

Sorry that was my example script. The actual DSC resource takes the typical PSCredential property. Also just for kicks I created the same user in the TEST domain as the PROD one and tried to use those creds with Get-ADObject and I keep getting SSPI errors. I verified the password is good via runas, also the user is a local admin on the DSC target. Something of interest, I get access denied trying to use the runas command from a psexec SYSTEM command prompt, never tried that honestly but I don’t see why it wouldn’t work from there if it worked from a normal command prompt.

Ok. So, a few troubleshooting cases then.

Have you checked to see if this works when accessing the same domain the machine belongs to?

Have you tried this with a non-AD scenario that also involves a credential? I’m thinking the problem could be specific to the AD commands.

I did try to use a user that is in the same domain as the machine, this produces the same error. I’ll swap it over to System.DirectoryServices.AccountManagement to validate the credentials and let you know.

Well, it looks like DSC isn’t decrypting the encrypted password in MOF, that would explain why it can’t authenticate. Anyway I was able to drop my need for the Get-ADObject by converting it to System.DirectoryServices.AccountManagement, so I’ll take that as a win.