Hey guys,
on push and pull models i’m having a issue with encryption. when the configuration runs i receive the following error
The Local Configuration Manager is not configured with a certificate Or decryption failed. I have followed microsoft guide to create the certificate with the certificate created on the target node and export the public key to the authoring node. I have created the certificate from ADCS 2012r2 PKI.
The guest is server 2012r2
I have tried to move the “certificateid” from ConfigurationRepositoryWeb to settings on the LCM no difference.
In event viewer i can the below event
event id 4257 Job {B5C48003-44EA-11E6-80EB-001DD8B75749} : MIResult: 6 Error Message: The Local Configuration Manager is not configured with a certificate. Resource '[File]exampleFile' in configuration 'CredentialEncryptionExample' cannot be processed. Message ID: MI RESULT 6 Error Category: 13 Error Code: 6 Error Type: MI
PS C:\Windows\system32> $PSVersionTable Name Value ---- ----- PSVersion 5.0.10586.117 PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.10586.117 CLRVersion 4.0.30319.34014 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
The below configuration is just testing to see if it was a error in my real configuration
$ConfigData= @{ AllNodes = @( @{ NodeName = "TPKI01" CertificateFile = "C:\temp\TPKI01.cer" Thumbprint = (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint }; ); } configuration CredentialEncryptionExample { param( [Parameter(Mandatory=$true)] [ValidateNotNullorEmpty()] [PsCredential] $credential ) Node $AllNodes.NodeName { File exampleFile { SourcePath = "\\TPKI01\D$\PKI\ING_IntCA1+.crl" DestinationPath = "C:\temp\" Credential = $credential } LocalConfigurationManager { CertificateID = $node.Thumbprint } } } Write-Host "Generate DSC Configuration..." CredentialEncryptionExample -ConfigurationData $ConfigData -OutputPath \\sofs\dsc\AU\Configuration $nodes = 'TPKI01' Write-Verbose (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint foreach ($item in $nodes) { [DSCLocalConfigurationManager()] configuration PullClientConfigID { Node $item { Settings { RefreshMode = 'Pull' RefreshFrequencyMins = 30 RebootNodeIfNeeded = $True DebugMode = 'ALL' AllowModuleOverWrite = $false #CertificateID = (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint } ConfigurationRepositoryWeb PullSrv { ServerURL = 'https://DSC:8080/PSDSCPullServer.svc' RegistrationKey = 'd7d29e47-FFFF-402b-9553-d331713d96bc' AllowUnsecureConnection = $false CertificateID = (get-childitem -path Cert:\LocalMachine\My | ?{$_.subject -like "*$item*"}).Thumbprint ConfigurationNames = @("$item") } ReportServerWeb PullSrv { ServerURL = 'https://DSC:8080/PSDSCPullServer.svc' RegistrationKey = 'd7d29e47-1a46-402b-9553-d331713d96bc' } } } PullClientConfigID -verbose Set-DSCLocalConfigurationManager –Path .\PullClientConfigID –Verbose -force -ComputerName $item }
Target node LCM
ActionAfterReboot : ContinueConfiguration AgentId : 21631C66-1A6C-11E6-80E6-001DD8B75749 AllowModuleOverWrite : False CertificateID : ConfigurationDownloadManagers : {[ConfigurationRepositoryWeb]PullSrv} ConfigurationID : ConfigurationMode : ApplyAndMonitor ConfigurationModeFrequencyMins : 15 Credential : DebugMode : {All} DownloadManagerCustomData : DownloadManagerName : LCMCompatibleVersions : {1.0, 2.0} LCMState : PendingConfiguration LCMStateDetail : LCMVersion : 2.0 StatusRetentionTimeInDays : 10 PartialConfigurations : RebootNodeIfNeeded : True RefreshFrequencyMins : 30 RefreshMode : Pull ReportManagers : {[ReportServerWeb]PullSrv} ResourceModuleManagers : {} PSComputerName : TPKI01 PSComputerName : TPKI01 ResourceId : [ConfigurationRepositoryWeb]PullSrv SourceInfo : ::53::13::ConfigurationRepositoryWeb AllowUnsecureConnection : True CertificateID : ConfigurationNames : {TPKI01} RegistrationKey : ServerURL : https://DSC:8080/PSDSCPullServer.svc PSComputerName : TPKI01
/* @TargetNode='TPKI01' @GeneratedBy=user @GenerationDate=07/08/2016 18:46:03 @GenerationHost=DSCPULL01 */ instance of MSFT_Credential as $MSFT_Credential1ref { Password = "-----BEGIN CMS-----\nMIIB/wYJKoZIhvcNAQcDoIIB8DCCAewCAQAxggGnMIIBowIBADCBijBzMQswCQYDVQQGEwJBVTEM\nMAoGA1UECAwDTlNXMR0wGwYDVQQKDBRJTkcgRGlyZWN0IEF1c3RyYWxpYTELMAkGA1UECwwCSVQx\nKjAoBgNVBAMMIUlORy1EaXJlY3QtQXVzdHJhbGlhLVByb2QtSU5ULUNBMgITdAAAAeG7VkqFfNZu\nggAAAAAB4TANBgkqhkiG9w0BAQcwAASCAQBUbc/ApWnYfUOfCCrOOkTKD7S5pnjBx1LSNFvjVDeE\nGvR1hfRzaXh9fGxLcw+IXqN1tkTf0CuxWXBOwhrrXIHbwBo42e9x0AqFnIdhZyGPtwoAURcnTayD\nIkzh3r7GuDGCmAYJm7wOAWv26tWxtZwbdvHmt2LOBLDUPcV2RcYZSSD3Z2s621XmIaH/CuvcdRBV\nOQAX97+ii9EmadPfUjAzD7pAwhQPcTXslqXTYh07lIsTbyfgQ6VScwIwSWY5PjapUvqQ1lZUnKzG\n4oNcAWLEzrqyNi5pBsLibri7BcYeeFUrnBjLa6JJGRjnyPoNigscLFbea2/SDAELXS6YhkUYMDwG\nCSqGSIb3DQEHATAdBglghkgBZQMEASoEEHNtWNix1eW4RPL4MlwHA+yAELUb41h4PxO6mktT5ruf\ntW0=\n-----END CMS-----"; UserName = "corp\\svc_dsc"; }; instance of MSFT_FileDirectoryConfiguration as $MSFT_FileDirectoryConfiguration1ref { ResourceID = "[File]exampleFile"; Credential = $MSFT_Credential1ref; DestinationPath = "C:\\temp\\"; ModuleName = "PSDesiredStateConfiguration"; SourceInfo = "::21::9::File"; SourcePath = "\\\\tpki01\\D$\\PKI\\ING_IntCA1+.crl"; ModuleVersion = "1.0"; ConfigurationName = "CredentialEncryptionExample"; }; instance of OMI_ConfigurationDocument { Version="2.0.0"; MinimumCompatibleVersion = "1.0.0"; CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; Author="user"; GenerationDate="07/08/2016 18:46:03"; GenerationHost="DSCPULL01"; ContentType="PasswordEncrypted"; Name="CredentialEncryptionExample"; };
certificate on the pullserver/authoring node
tpki01.corp.intranet} {Document Encryption (1.3.6.1.4.1.311.80.1)} 6/07/2018 3:05:11 PM False System.Security.Cryptography.Oid CN=tpki01..
any ideas?
Regards
Nathan