gMSA failures when used in PsDscRunAsCredential

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request

Module Version

3.3.0

Affected Resource(s)

ArcGIS_Server
ArcGIS_Portal

Configuration Files

Expected Behavior

Portal: The PersistStorageCredentials and CreatePortalContentFolder Script resources should execute successfully and add the Azure storage account key to Windows Credential Manager for the gMSA account and create the root folder for portal content. Server: The PersistConfigStoreCloudStorageCredentials and PersistServerDirectoriesCloudStorageCredentials should execute successfully and add the Azure storage account key to Windows Credential Manager for the gMSA account.

Actual Behavior

The resources fails with the error The user name or password is incorrect on Test.

Steps to Reproduce

I created a test configuration to illustrate the issue.

To execute, copy/paste the config into powershell and then copy/paste the below commands which will fail with the error The user name or password is incorrect.

$Params = @{
    'ServiceCredential'                  = (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ( 'emcsworld\gmsa1$', (ConvertTo-SecureString 'PlaceHolder' -AsPlainText -Force) ))
    'ConfigStoreCloudStorageCredentials' = (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ( 'examplefileaccount1.file.core.windows.net', (ConvertTo-SecureString 'PlaceHolder' -AsPlainText -Force) ))
    'ConfigurationData'                  = (@{AllNodes = @(@{NodeName = 'localhost'; PSDscAllowPlainTextPassword = $true }) })
}
Test @Params
Start-DscConfiguration -Path .\Test\ -Wait -Force -Verbose

Configuration Test {
    param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullorEmpty()]
        [System.Management.Automation.PSCredential]
        $ServiceCredential,

        [Parameter(Mandatory = $False)]
        [System.Management.Automation.PSCredential]
        $ConfigStoreCloudStorageCredentials
    )

    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node $AllNodes.NodeName
    {
        $ConfigStoreAzureFilesEndpoint = $ConfigStoreCloudStorageCredentials.UserName
        $ConfigStoreFilesStorageAccountName = $ConfigStoreAzureFilesEndpoint.Substring(0, $ConfigStoreAzureFilesEndpoint.IndexOf('.'))
        $ConfigStoreStorageAccountKey = $ConfigStoreCloudStorageCredentials.GetNetworkCredential().Password

        Script PersistConfigStoreCloudStorageCredentials
        {
            TestScript = {
                $result = cmdkey "/list:$using:ConfigStoreAzureFilesEndpoint"
                $result | ForEach-Object { Write-Verbose -Message "cmdkey: $_" -Verbose }
                if ($result -like '*none*') {
                    return $false
                }
                return $true
            }
            SetScript = {
                $result = cmdkey "/add:$using:ConfigStoreAzureFilesEndpoint" "/user:$using:ConfigStoreFilesStorageAccountName" "/pass:$using:ConfigStoreStorageAccountKey"
                $result | ForEach-Object { Write-Verbose -Message "cmdkey: $_" -Verbose }
            }
            GetScript            = { return @{} }
            DependsOn            = $Depends
            PsDscRunAsCredential = $ServiceCredential # This is critical, cmdkey must run as the service account to persist property
        }
    }
}