Closed mazad01 closed 5 years ago
PlagueHO
commented
5 years ago I have come across this behavior as well with partial configurations. I've found that you have to encrypt all MOFs if you're using partial configurations - if any one of the MOFs is encrypted. It is the LCM that is being configured with the decryption info and I suspect it can only handle "all or nothing" encryption.
mazad01
commented
5 years ago thats terrible. a workaround which i dont like is to place this line on all mofs that are non encrypted:
ContentType="PasswordEncrypted"; in the instance of OMI_ConfigurationDocument block
cnorling
commented
5 years ago The error message is actually correct. What's happening is the credentials in the .mof aren't being decrypted by the node's LCM, so it's hitting the character limit. This is a known bug in WMF5.1. Here's a brief summary of the issue:
This LCM partial config is applying A and B to the target node.
[DscLocalConfigurationManager()]
Configuration PartalLCMCredentialIssue
{
Settings
{
RefreshFrequencyMins = 30;
RefreshMode = "PULL";
ConfigurationMode ="ApplyAndAutocorrect";
AllowModuleOverwrite = $true;
RebootNodeIfNeeded = $true;
ConfigurationModeFrequencyMins = 60;
CertificateID = 'thumbprintgoeshere'
}
ConfigurationRepositoryWeb CONTOSO-PullSrv
{
ServerURL = 'https://CONTOSO-PullSrv:8080/PSDSCPullServer.svc'
RegistrationKey = 5b41f4e6-5e6d-45f5-8102-f2227468ef38
ConfigurationNames = @("A","B")
}
# I do not require encrypted credentials
PartialConfiguration A
{
Description = "A"
ConfigurationSource = @("[ConfigurationRepositoryWeb]CONTOSO-PullSrv")
}
# I require encrypted credentials
PartialConfiguration B
{
Description = "B"
ConfigurationSource = @("[ConfigurationRepositoryWeb]CONTOSO-PullSrv")
}
}A doesn't need encrypted credentials
configuration A {
Node localhost {
WindowsFeature A{
Name = A
Ensure = Present
}
}
}
$configData = @{
AllNodes = @(
@{
NodeName = 'localhost'
}
)
}
A -OutputPath \\server\share -configurationdata $cdataB does
configuration B {
Node localhost {
WindowsFeature B{
Name = B
Ensure = Present
PsDscRunAsCredential = get-credential
}
}
}
$configData = @{
AllNodes = @(
@{
NodeName = 'localhost';
PSDscAllowDomainUser = $true
CertificateFile = 'C:\publicKeys\targetNode.cer'
Thumbprint = 'thumbprintgoeshere'
}
)
}
B -OutputPath \\server\share -configurationdata $cdataWhen the LCM is gathering all the DSC resources it needs to apply to the target node, it's pulling them in alphabetical order. It's also using that first resource to determine if it needs to decrypt any of the resources. Because A comes first and A doesn't require decryption, the LCM thinks that applies to ALL the partial configs for that node including B.
Check the names of your partials and see how they apply in alphabetical order. If you want, you can implement a workaround by adding a dummy DSC resource named AAAsomething and add that to any nodes that need to decrypt credentials.
Here's someone that ran into the same issue and contacted MS support about it. https://powershell.org/forums/topic/partial-configurations-encrypted-credentials/
gaelcolas
commented
5 years ago Thanks @salineselin Closing this issue as it's been answered.
Not sure if this is the best place to place this, but i have a pull server with 2 non-encrypted mofs, and 1 encrypted mof. The LCM on the lab node is configured to pull the 3 different configs as partialconfigs. When I run Start-DSCConfiguration, the encrypted mof fails with the following:
The error above is misleading, as it is probably interpreting that password block in the MOF as a string literal (not an encrypted variable)
If i configure the LCM on the node to only pull the encrypted MOF, it works. So there seems to be some problem with a combination of multiple partial configs which some are encrypted, and some are not. any help appreciated.