nick-o
commented
9 years ago Hey Jon,
without seeing the specific Configuration you are using to generate the MOF file it's fairly hard to troubleshoot. Having had a short glimpse at the rsMSMQ code just now I have a first suspicion what might be causing this. In essence, it seems like rsMSMQ is "just" importing the client's public cert into the Root CA store of the Local Machine (see here). However, for Credentials encryption, you will need the Certificate File as .cer as seen in an example here (taken from showpitch).
Would you be able to point me to the actual Configuration that you are using? Also, I will need to look into the new platform a bit more in general but especially with regards to the Credentials encryption.
Thanks Nico
jonathan-madison
Set-TargetResource function in RS_rsProcessQueue resource (at line 77-80) uses System.Security.Cryptography.X509Certificates class to create client cert and install on PullServer.
From what I'm seeing in on MSDN, I don't think it's possible to create a key exchange cert using this class.
https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2%28v=vs.110%29.aspx
As such, generating the certificates in this manner is preventing DSC from encrypting a PSCredential for clients as the cert is not valid for key exchange. No error is thrown when running DSC but MOFs do not generate. Manually running throws an error about storing plaintext passwords in the MOF, leading me to believe this is the issue. Error text at the end of this message.
We'll need to hotfix this DSC resource to use makecert.exe instead.
Full error text:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'Password' OF TYPE 'User': Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 At C:\DevOps\Template-Client.ps1:46 char:9