Hey guys,
on push and pull models i’m having a issue with encryption. when the configuration runs i receive the following error
The Local Configuration Manager is not configured with a certificate Or decryption failed. I have followed microsoft guide to create the certificate with the certificate created on the target node and export the public key to the authoring node. I have created the certificate from ADCS 2012r2 PKI.
The guest is server 2012r2
I have tried to move the “certificateid” from ConfigurationRepositoryWeb to settings on the LCM no difference.
In event viewer i can the below event
event id 4257
Job {B5C48003-44EA-11E6-80EB-001DD8B75749} :
MIResult: 6
Error Message: The Local Configuration Manager is not configured with a certificate. Resource '[File]exampleFile' in configuration 'CredentialEncryptionExample' cannot be processed.
Message ID: MI RESULT 6
Error Category: 13
Error Code: 6
Error Type: MI
PS C:\Windows\system32> $PSVersionTable
Name Value
---- -----
PSVersion 5.0.10586.117
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.10586.117
CLRVersion 4.0.30319.34014
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
The below configuration is just testing to see if it was a error in my real configuration
$ConfigData= @{
AllNodes = @(
@{
NodeName = "TPKI01"
CertificateFile = "C:\temp\TPKI01.cer"
Thumbprint = (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint
};
);
}
configuration CredentialEncryptionExample
{
param(
[Parameter(Mandatory=$true)]
[ValidateNotNullorEmpty()]
[PsCredential] $credential
)
Node $AllNodes.NodeName
{
File exampleFile
{
SourcePath = "\\TPKI01\D$\PKI\ING_IntCA1+.crl"
DestinationPath = "C:\temp\"
Credential = $credential
}
LocalConfigurationManager {
CertificateID = $node.Thumbprint
}
}
}
Write-Host "Generate DSC Configuration..."
CredentialEncryptionExample -ConfigurationData $ConfigData -OutputPath \\sofs\dsc\AU\Configuration
$nodes = 'TPKI01'
Write-Verbose (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint
foreach ($item in $nodes) {
[DSCLocalConfigurationManager()]
configuration PullClientConfigID
{
Node $item
{
Settings
{
RefreshMode = 'Pull'
RefreshFrequencyMins = 30
RebootNodeIfNeeded = $True
DebugMode = 'ALL'
AllowModuleOverWrite = $false
#CertificateID = (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint
}
ConfigurationRepositoryWeb PullSrv
{
ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
RegistrationKey = 'd7d29e47-FFFF-402b-9553-d331713d96bc'
AllowUnsecureConnection = $false
CertificateID = (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint
ConfigurationNames = @("$item")
}
ReportServerWeb PullSrv
{
ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
RegistrationKey = 'd7d29e47-1a46-402b-9553-d331713d96bc'
}
}
}
PullClientConfigID -verbose
Set-DSCLocalConfigurationManager –Path .\PullClientConfigID –Verbose -force -ComputerName $item
}
Target node LCM
ActionAfterReboot : ContinueConfiguration
AgentId : 21631C66-1A6C-11E6-80E6-001DD8B75749
AllowModuleOverWrite : False
CertificateID :
ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]PullSrv}
ConfigurationID :
ConfigurationMode : ApplyAndMonitor
ConfigurationModeFrequencyMins : 15
Credential :
DebugMode : {All}
DownloadManagerCustomData :
DownloadManagerName :
LCMCompatibleVersions : {1.0, 2.0}
LCMState : PendingConfiguration
LCMStateDetail :
LCMVersion : 2.0
StatusRetentionTimeInDays : 10
PartialConfigurations :
RebootNodeIfNeeded : True
RefreshFrequencyMins : 30
RefreshMode : Pull
ReportManagers : {[ReportServerWeb]PullSrv}
ResourceModuleManagers : {}
PSComputerName : TPKI01
PSComputerName : TPKI01
ResourceId : [ConfigurationRepositoryWeb]PullSrv
SourceInfo : ::53::13::ConfigurationRepositoryWeb
AllowUnsecureConnection : True
CertificateID :
ConfigurationNames : {TPKI01}
RegistrationKey :
ServerURL : https://DSC:8080/PSDSCPullServer.svc
PSComputerName : TPKI01
/*
@TargetNode='TPKI01'
@GeneratedBy=user
@GenerationDate=07/08/2016 18:46:03
@GenerationHost=DSCPULL01
*/
instance of MSFT_Credential as $MSFT_Credential1ref
{
Password = "-----BEGIN CMS-----\nMIIB/wYJKoZIhvcNAQcDoIIB8DCCAewCAQAxggGnMIIBowIBADCBijBzMQswCQYDVQQGEwJBVTEM\nMAoGA1UECAwDTlNXMR0wGwYDVQQKDBRJTkcgRGlyZWN0IEF1c3RyYWxpYTELMAkGA1UECwwCSVQx\nKjAoBgNVBAMMIUlORy1EaXJlY3QtQXVzdHJhbGlhLVByb2QtSU5ULUNBMgITdAAAAeG7VkqFfNZu\nggAAAAAB4TANBgkqhkiG9w0BAQcwAASCAQBUbc/ApWnYfUOfCCrOOkTKD7S5pnjBx1LSNFvjVDeE\nGvR1hfRzaXh9fGxLcw+IXqN1tkTf0CuxWXBOwhrrXIHbwBo42e9x0AqFnIdhZyGPtwoAURcnTayD\nIkzh3r7GuDGCmAYJm7wOAWv26tWxtZwbdvHmt2LOBLDUPcV2RcYZSSD3Z2s621XmIaH/CuvcdRBV\nOQAX97+ii9EmadPfUjAzD7pAwhQPcTXslqXTYh07lIsTbyfgQ6VScwIwSWY5PjapUvqQ1lZUnKzG\n4oNcAWLEzrqyNi5pBsLibri7BcYeeFUrnBjLa6JJGRjnyPoNigscLFbea2/SDAELXS6YhkUYMDwG\nCSqGSIb3DQEHATAdBglghkgBZQMEASoEEHNtWNix1eW4RPL4MlwHA+yAELUb41h4PxO6mktT5ruf\ntW0=\n-----END CMS-----";
UserName = "corp\\svc_dsc";
};
instance of MSFT_FileDirectoryConfiguration as $MSFT_FileDirectoryConfiguration1ref
{
ResourceID = "[File]exampleFile";
Credential = $MSFT_Credential1ref;
DestinationPath = "C:\\temp\\";
ModuleName = "PSDesiredStateConfiguration";
SourceInfo = "::21::9::File";
SourcePath = "\\\\tpki01\\D$\\PKI\\ING_IntCA1+.crl";
ModuleVersion = "1.0";
ConfigurationName = "CredentialEncryptionExample";
};
instance of OMI_ConfigurationDocument
{
Version="2.0.0";
MinimumCompatibleVersion = "1.0.0";
CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
Author="user";
GenerationDate="07/08/2016 18:46:03";
GenerationHost="DSCPULL01";
ContentType="PasswordEncrypted";
Name="CredentialEncryptionExample";
};
certificate on the pullserver/authoring node
tpki01.corp.intranet} {Document Encryption (1.3.6.1.4.1.311.80.1)} 6/07/2018 3:05:11 PM False System.Security.Cryptography.Oid CN=tpki01..
any ideas?
Regards
Nathan