PowerShell DSC Encryption issue

Context

While working on a new setup, we had to deploy some binaries on a server using DSC.

To make the process scale for many machines, we created a network share to host the binaries in order to centralize the access. In the DSC world, this meant we had 2 options :

1- Add the computer account of each machine accessing the share in the permissions of the share.

2- Use the encryption feature in DSC (define an account in the MOF in order to access the share)

During the testing phase, everything went well. The configuration was as is :
Authoring machine : Windows 10, Powershell 5.1.14393.693
Target machine : Server 2016, Powershell 5.1.14393.0

Issue

We then deployed the configuration on a Windows Server 2012 R2 and the LCM kept getting in error, throwing the message “Decryption failed. LCM failed to start desired state configuration manually.”
powershell_2017-01-19_10-00-07

Digging a little deeper in the ‘Microsoft-Windows-Desired State Configuration/Operational’ event log, just before the “Decryption failed” error, another error was caught :
“Message Invalid provider type specified.”mremoteng_2017-01-19_10-23-16

With the help of the Internet and some querying, I was able to “decrypt” our issue. I began by reading this nice article :
https://hyper-v.nu/archives/bgelens/2015/02/integrating-vm-role-with-desired-state-configuration-part-7-creating-a-configuration-document-with-encrypted-content/
Which led me to review the certificate we used for the DSC encryption.

The initial setup was using a CA issued custom certificate we created following Microsoft’s recommendation stated here :
https://msdn.microsoft.com/en-us/powershell/dsc/securemof#certificate-requirements
firefox_2017-01-19_10-31-36
And since we wanted to follow the MS’ Best practices, we configured our certificate template using the provider ‘Microsoft RSA SChannel Cryptographic Provider’.

Solution

The caveat with this configuration is that Windows Server 2012 R2 doesn’t know how to decrypt anything using the ‘Microsoft RSA SChannel Cryptographic Provider‘. Even if you deploy WMF 5.1 Preview, it won’t help.
If you use the Self-Signed certificate generator script, it will work flawlessly because it actually uses the legacy provider named ‘Legacy Cryptographic Service Provider‘.

Either you create a certificate template using the Provider category ‘Legacy Cryptographic Service Provider’ thus not following Microsoft’s certificate requirements or you use only self-signed certificate using the custom script or you upgrade your OS to Windows 2016.

Regards,
MW

Advertisements

2 thoughts on “PowerShell DSC Encryption issue

  1. Interesting, thanks for this, I have been working on a 2012R2 Pull Server with AD Certificate Authority and having similar problem, I will try the damn legacy crypto, which I hate to use, I don’t know why Microsoft doesn’t get their shit together with these annoying crypto errors in DSC and their certificate authorites. We should not have to use weak crypto in DSC configuration documents. this is crazy.

  2. Hi,
    I agree there is a lack of consistency in Microsoft’s documentation but I found they are improving on this part. The sad part is that the doc actually sends you on the wrong road … :/
    Let me know if you were able to fix your issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s