We are security tightening up scripts at the moment. Who has built a successful example of using Certificates and Thumbprint instead of using the notoriously bad PSDscAllowPlainTextPassword Attribute using PowerShell 4.0.
Configuration ExampleConfig { param( [string] $myUserName ,[string] $myFullName ,[PSCredential] $myPassword ) Node $AllNodes.where{ $_.Role.Contains("myrole") }.NodeName { User MyUser { UserName = $myUserName Ensure = "Present" FullName = $myFullName Password = $myPassword } LocalConfigurationManager { CertificateId = $node.Thumbprint } } } # cut the first half that declared the parameters and values $ConfigData = @{ AllNodes = @( @{ NodeName = "10.0.0.5" myUserName = $userName myFullName = $userName myPassword = $userCreds Role="myrole" CertificateFile ="C:\GSPS-Source\Certificates\sfb-thm-tenant.local.cer" Thumbprint= "F6E950F331F06EE605D804DB4811fB647B697668" } )} $sn_mofPath = "C:\MOF" ExampleConfig -ConfigurationData $ConfigData -myUserName $userName -myPassword $userCreds -myFullName $userName ` -OutputPath $sn_mofPath Set-DscLocalConfigurationManager -ComputerName "10.0.0.5" ` -Path $sn_mofPath ` -Credential $creds Start-DscConfiguration -Verbose -Wait -Force ` -ComputerName "10.0.0.5" ` -Path $sn_mofPath ` -Credential $creds
I followed the following procedure: http://blogs.msdn.com/b/powershell/archive/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration.aspx and I am getting the following output.
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. VERBOSE: An LCM method call arrived from computer SFB-THM-TOR with user sid S-1-5-21-2948782706-3721813811-4249131776-500. VERBOSE: [SFB-THM-TENANT]: LCM: [ Start Set ] VERBOSE: [SFB-THM-TENANT]: LCM: [ Start Resource ] [[User]MyUser] The SendConfigurationApply function did not succeed. + CategoryInfo : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException + FullyQualifiedErrorId : MI RESULT 4 + PSComputerName : 10.0.0.5 VERBOSE: Operation 'Invoke CimMethod' complete. VERBOSE: Time taken for configuration job to complete is 0.383 seconds
Additional Information: The mof files are encrypend, the certificate is a self signed certificate on the target machine that I have exported to the local machine I run the scripts from. (so private key is on the target machine).
This is the script that I used to create the Self signed cert:
https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6
Any help apreciated