Group Resource encrypted credentials issue

Im having issues with the Group Resource and domain user accounts. It seems to only work if i use the PSDscAllowPlainTextPassword=$true variable when passing in the credentials. If i use the CertificateFile variable in the configuration data pointed to a cert that’s installed on the target node i get the error below. Has anyone gotten the Group Resource to work with encrypted credentials?

The PowerShell provider MSFT_GroupResource threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational.
Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:slight_smile: , CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost

EventLog:

Job {DF4B4371-F349-440A-A50C-C57FFE37E6C3} :
This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource provider. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling “FindByIdentity” with “2” argument(s): "The user name or password is incorrect.
".

$ConfigurationData=@{

AllNodes = @(
 
   # All the Servers have the following identical information
       @{
            NodeName           = "*"
            CertificateFile = "c:\cert.cer"            
       },

       @{
            NodeName           = "localhost"
        }     
    );

}

configuration AdminGroup
{
param(
    [PsCredential]$Credential
)
    node $Allnodes.NodeName
        {
            Group Administrators
            {
                GroupName   = "Administrators"
                Credential  = $Credential 
                Ensure      = "Present"
                Members     = "Administrator","Lab\account1","lab\account2"
            }
        }
}

AdminGroup -ConfigurationData $ConfigurationData -OutputPath c:\AdminGroup -Credential (Get-Credential)

Start-DscConfiguration -Path C:\AdminGroup -Wait -Verbose -force -WhatIf

Almost looks like a bug in the resource. Do we have a version of that in the community repo?

I was unable to find a comparable one in the repo.

I haven’t tested this functionality yet myself, but looking at this PowerShell blog post, they have some extra bits that are missing from your configuration. (Specifically, the thumbprint in configurationData, the LocalConfigurationManager resource setting CertificateId to that thumbprint, and the call to Set-DscLocalConfigurationManager on the target node to configure the LCM using those options. The certificate must also be installed, with its private key, on the target node(s).)

Have you already performed these steps, separately from what you’ve posted here?

Ah silly me, i feel like an idiot. I’m trying to do a quick test using push and i forgot all about the LCM CertificateId. That’s exactly what the issue was

Thanks DAVE!

Do a favor and bug that in Connect.Microsoft.com anyway. The resource should provide a more meaningful error message when you do what you did. It’s not doing input validation.

Done.

https://connect.microsoft.com/PowerShell/feedback/details/868951/dsc-encrypted-credentials-generic-error

Thanks again for the help.

Having the same issue. Took the OP’s code change the nodename, members and included the CertificateId. Confirmed the machine that builds the mof had the same certificate/thumbprint as the server. We even generated the mof and started DSC on the target server, but we still get this error:

Job {03F26B40-A4F7-11E5-80D9-005056BE26AD} :
This event indicates that a non-terminating error was thrown when DSCEngine was executing Test-TargetResource on MSFT_GroupResource DSC resource. FullyQualifiedErrorId is COMException. ErrorMessage is Exception calling “FindByIdentity” with “2” argument(s): "The user name or password is incorrect.
".

How can we determine what username and password combination DSC tried to use?

Forgot to call Set-DscLocalConfigurationManager.