所需状态配置中的凭证
Credentials in Desired State Configuration
我有以下所需的状态配置 (DSC)
Configuration Cert
{
param (
[Parameter(Mandatory=$true)]
[ValidateNotNullorEmpty()]
[System.String] $machineName,
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[PSCredential]
$certCredential
)
Import-DscResource -ModuleName xPSDesiredStateConfiguration, xCertificate
Node $machineName
{
xPfxImport cert
{
Ensure = 'Present'
Path = 'C:\certificate.pfx'
Thumbprint = 'abcdefg'
Location = 'LocalMachine'
Store = 'My'
Exportable = $true
Credential = $certCredential
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName = 'localhost'
PSDscAllowPlainTextPassword = $true
}
)
}
$secpasswd = ConvertTo-SecureString 'password' -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('x', $secpasswd)
Cert -machineName MyPC -certCredential $mycreds -ConfigurationData $cd
Start-DscConfiguration –Path .\Cert –Wait –Verbose -Force
当我尝试执行此操作时,出现以下错误:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'Credential' OF TYPE 'xPfxImport':
Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in
MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Users\x\Desktop\script.ps1:18 char:9
+ xPfxImport
At line:341 char:16
+ $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Compilation errors occurred while processing configuration 'Cert'. Please review the errors reported in error stream and
modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917
char:5
+ throw $ErrorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Cert:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
我知道密码必须加密,并且不允许或至少不推荐将其保存为明文。我已经尝试了互联网上建议的许多事情,但我仍然无法使其正常工作。
我正在寻找一种方法来安装证书并在之后授予特定的设置证书权限。
您需要允许 plaintextcredentials (link)
Configuration DomainCredentialExample
{
param(
[PSCredential]$DomainCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node $AllNodes.NodeName
{
Group DomainUserToLocalGroup
{
GroupName = 'InfoSecBackDoor'
MembersToInclude = 'contoso\notyouraccount'
Credential = $DomainCredential
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName="localhost"
PSDscAllowPlainTextPassword=$true
}
)
}
$cred = Get-Credential -UserName contoso\genericuser -Message "Password please"
DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd
发现自己面临同样的问题,我想我会重申问题的实际原因(实际上隐藏在评论中):
The last comment led me to the real problem. I did not realize that the nodename is actually what causing the issue. Please change node localhost line (8) to Node $AllNodes.NodeName and NodeName="*" back to NodeName="localhost"
通过 PSDesiredStateConfiguration.psm1 中的框架代码挑选,除非 $machineName = localhost 否则不会看到 PSDscAllowPlainTextPassword 标志(在我们的例子中,它实际上是完全合格与完全合格的情况)。非完全限定的机器名称)。
我也偶然发现了一个未记录的解决方法(我不一定推荐使用它)——实际上可以使用以下注册表项关闭对明文凭据的检查:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\DSC]
"PSDscAllowPlainTextPassword"="True"
"PSDscAllowDomainUser"="True"
希望这可以让其他人省去一些麻烦!
我有以下所需的状态配置 (DSC)
Configuration Cert
{
param (
[Parameter(Mandatory=$true)]
[ValidateNotNullorEmpty()]
[System.String] $machineName,
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[PSCredential]
$certCredential
)
Import-DscResource -ModuleName xPSDesiredStateConfiguration, xCertificate
Node $machineName
{
xPfxImport cert
{
Ensure = 'Present'
Path = 'C:\certificate.pfx'
Thumbprint = 'abcdefg'
Location = 'LocalMachine'
Store = 'My'
Exportable = $true
Credential = $certCredential
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName = 'localhost'
PSDscAllowPlainTextPassword = $true
}
)
}
$secpasswd = ConvertTo-SecureString 'password' -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('x', $secpasswd)
Cert -machineName MyPC -certCredential $mycreds -ConfigurationData $cd
Start-DscConfiguration –Path .\Cert –Wait –Verbose -Force
当我尝试执行此操作时,出现以下错误:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'Credential' OF TYPE 'xPfxImport': Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 At C:\Users\x\Desktop\script.ps1:18 char:9 + xPfxImport At line:341 char:16 + $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException + FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance Compilation errors occurred while processing configuration 'Cert'. Please review the errors reported in error stream and modify your configuration code appropriately. At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5 + throw $ErrorRecord + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Cert:String) [], InvalidOperationException + FullyQualifiedErrorId : FailToProcessConfiguration
我知道密码必须加密,并且不允许或至少不推荐将其保存为明文。我已经尝试了互联网上建议的许多事情,但我仍然无法使其正常工作。
我正在寻找一种方法来安装证书并在之后授予特定的设置证书权限。
您需要允许 plaintextcredentials (link)
Configuration DomainCredentialExample
{
param(
[PSCredential]$DomainCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node $AllNodes.NodeName
{
Group DomainUserToLocalGroup
{
GroupName = 'InfoSecBackDoor'
MembersToInclude = 'contoso\notyouraccount'
Credential = $DomainCredential
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName="localhost"
PSDscAllowPlainTextPassword=$true
}
)
}
$cred = Get-Credential -UserName contoso\genericuser -Message "Password please"
DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd
发现自己面临同样的问题,我想我会重申问题的实际原因(实际上隐藏在评论中):
The last comment led me to the real problem. I did not realize that the nodename is actually what causing the issue. Please change node localhost line (8) to Node $AllNodes.NodeName and NodeName="*" back to NodeName="localhost"
通过 PSDesiredStateConfiguration.psm1 中的框架代码挑选,除非 $machineName = localhost 否则不会看到 PSDscAllowPlainTextPassword 标志(在我们的例子中,它实际上是完全合格与完全合格的情况)。非完全限定的机器名称)。
我也偶然发现了一个未记录的解决方法(我不一定推荐使用它)——实际上可以使用以下注册表项关闭对明文凭据的检查:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\DSC]
"PSDscAllowPlainTextPassword"="True"
"PSDscAllowDomainUser"="True"
希望这可以让其他人省去一些麻烦!