The easiest way to do this is via IIS, via the Server Certificates feature – see this walkthrough. If you don’t have a CA available, an alternative is to generate a self-signed certificate. Otherwise, your system administrator needs to explicitly grant this request. If your system administrator has configured Automatic Certificate Enrollment, the certificate request should be granted immediately and the certificate should be added to the Computer’s Personal certificate store. – Next, Next, check the “Computer” template and click Enroll. – Right click in the details pane and choose All Tasks, Request New Certificate… – Via File, Add/Remove Snap in, add the Certificates snap in for the local computer account, If your Target machine is part of an Active Directory domain with a Root or Enterprise Certification Authority, requesting a new certificate can be done through the Microsoft Management Console Certificates snap-in: Providing you don’t already have a certificate with a private key installed in the Personal certificate store for the Local Computer, there are various ways to obtain a certificate, such as:Ī) Via Active Directory certificate enrollment Install a certificate on the Target machine Sounds easy enough? We’ll tackle each of these points in turn. mof file, we tell it to use the certificate file to encrypt the PSCredentials with, and Powershell won’t complain anymore about storing passwords in plain text. On the sending side, whenever we run our Configuration to generate the.mof files) to use this particular certificate from the certificate store to decrypt the encrypted values with. Next, we’ll configure the Target machine’s Local Configuration Manager (which is responsible for applying the.We export just the public key portion to a certificate file that we give to the Sending machine.The Target machine needs to have a certificate in its certificate store with both a public and a private key.This is done using assymetric cryptography, where the Sending machine encrypts the PSCredentials using a public key, so that only the Target machine with the corresponding private key is then able to decrypt them. What needs to happen is that the PSCredential objects should not end up as plain text in the. So here goes, my attempt at writing up this information in the way I wished it was explained to me. This is a shame really, since the setup isn’t that difficult, and I think that if things were explained just a little differently many more people would be using it. After having read these and experimented quite a bit I finally got the ‘click’, but I can imagine that not everyone wants to put in that much effort and just use PsDscAllowPlainTextPassword=$true and be done with it. Now, there are a couple of articles out there that try to explain what needs to happen in order to make this error go away, such as this, this and this one. mof file is generated, but it contains the password in plain text (open it with a text editor to see this for yourself), which is indeed “not recommended”: M圜onfiguration -M圜redential $credentials -ConfigurationData $cd The wrong way to work around this is to suppress this message by specifing PsDscAllowPlainTextPassword=$true as part of the ConfigurationData for this node: Information on securing credentials in MOF file, please refer to MSDN blog: mof file fails with the following error: Converting and storing encrypted passwords as plain text is not recommended. M圜onfiguration -M圜redential $credentialsīecause of the PSCredential parameter, creating the. $credentials = Get-Credential -Message "Enter credentials" # Run the configuration, generating the M圜onfiguration\TargetServer.mof file Import-DscResource -ModuleName "PSDesiredStateConfiguration" Suppose we have the following configuration that uses the Service resource: The problemīy default, Powershell DSC prevents the use of PSCredential parameters in a configuration, because it would mean that the password would be stored as plain text in the. This post applies to Powershell 4.0 and higher if you want to learn more about Desired State Configuration and PSRemoting, check out these excellent e-books online: The DSC Book and Secrets of Powershell Remoting, or check out the complete list of ebooks at. mof file, so that only the target machine on which the configuration is applied can decrypt them. I’ll show how to configure and use Powershell DSC so that it accepts PSCredential parameters in a configuration and encrypts these in the generated.
0 Comments
Leave a Reply. |