Using Start-DscConfiguration with CredSSP

DSC
1

Hi,

(I apologize if this has already been addressed. I did search the forum for this info, but couldn’t find the answer.)

I have a DSC configuration that contains a script resource which pulls data from a database. I have configured Cred-SSP on the initiating server and the recipient server, and tested that I can create a remote session from the initiator to the recipient and then execute the script that accesses the database.

However, calling Start-DscConfiguration for the config with the script resource fails. My thought is that I may need to create a new CIM session for the server/node that’s receiving the dsc config and have that CIM session use CredSSP. However, I haven’t been able to create a new CIM session with CredSSP. I get:

New-CimSession : Failed to set destination option for transport.
Transport: WMIDCOM
Destination option: __MI_DESTINATIONOPTIONS_DESTINATION_CREDENTIALS

#1) Am I going about this the right way - trying to use a CredSSP CIM session to apply and test the DSC config?
#2) If so, what might I be missing when trying to create the CredSSP CIM session?

Thanks,
Joel

2

#1, no, I’m not sure this is the right thing to do. I’m maybe not understanding what you’re trying to do, actually. You’re just trying to kick off the LCM and force a configuration run? I’d probably just send the necessary commands to the computer via Invoke-Command, and let those commands run locally.

But, the LCM is what’s running the config, and it runs under System, which isn’t a delegate-able account, so CredSSP doesn’t enter into that.

3

There’s a similar discussion happening in this thread: https://powershell.org/forums/topic/dsc-script-resource-and-alternate-credentials/ .

4

Thanks, Don and Dave. That makes sense - to have Start-DSCConfig and Test-DSCConfig be invoked on the remote computer, since the LCM runs as System.
Since I’m doing my development on a PS mgmt box, and the Start-DSCConfiguration and Test-DSCConfiguraiton functions has the option to test a local MOF against a remote server, I was trying that, and failing when the config needed to do a hop to another server.

Cheers,
Joel