我有以下所需的状态配置(DSC)
Configuration Cert
{
param (
[Parameter(Mandatory=$true)]
[ValidateNotNullorEmpty()]
[System.String] $machineName,
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[PSCredential]
$certCredential
)
Import-DscResource -ModuleName xPSDesiredStateConfiguration, xCertificate
Node $machineName
{
xPfxImport cert
{
Ensure = 'Present'
Path = 'C:\certificate.pfx'
Thumbprint = 'abcdefg'
Location = 'LocalMachine'
Store = 'My'
Exportable = $true
Credential = $certCredential
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName = 'localhost'
PSDscAllowPlainTextPassword = $true
}
)
}
$secpasswd = ConvertTo-SecureString 'password' -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ('x', $secpasswd)
Cert -machineName MyPC -certCredential $mycreds -ConfigurationData $cd
Start-DscConfiguration –Path .\Cert –Wait –Verbose -Force
当我尝试执行此操作时,我收到以下错误:
ConvertTo-MOFInstance:System.InvalidOperationException错误处理属性'Credential'OF TYPE'xPfxImport':不建议将加密密码转换和存储为纯文本。有关在MOF文件中保护凭据的更多信息,请参阅MSDN博客:http://go.microsoft.com/fwlink/?LinkId=393729在C:\ Users \ x \ Desktop \ script.ps1:18 char:9 + xPfxImport在行:341 char:16 + $ aliasId = ConvertTo- MOFInstance $ keywordName $ canonicalizedValue + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ + CategoryInfo:InvalidOperation :( :) [Write-Error],InvalidOperationException + FullyQualifiedErrorId:FailToProcessProperty,ConvertTo-MOFInstance处理配置'Cert'时发生编译错误。请查看错误流中报告的错误并相应地修改配置代码。在C:\ Windows \ system32 \ WindowsPowerShell \ v1.0 \ Modules \ PSDesiredStateConfiguration \ PSDesiredStateConfiguration.psm1:3917 char:5 + throw $ ErrorRecord + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo:InvalidOperation:(Cert:String)[],InvalidOperationException + FullyQualifiedErrorId:FailToProcessConfiguration
我意识到密码必须加密并保存,因为不允许或至少不建议使用。我在互联网上尝试了许多建议但我仍然无法使其正常工作。
我正在寻找一种方法来安装证书并在此之后提供某些设置的证书权限。
你需要允许plaintextcredentials(link)
Configuration DomainCredentialExample
{
param(
[PSCredential]$DomainCredential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node $AllNodes.NodeName
{
Group DomainUserToLocalGroup
{
GroupName = 'InfoSecBackDoor'
MembersToInclude = 'contoso\notyouraccount'
Credential = $DomainCredential
}
}
}
$cd = @{
AllNodes = @(
@{
NodeName="localhost"
PSDscAllowPlainTextPassword=$true
}
)
}
$cred = Get-Credential -UserName contoso\genericuser -Message "Password please"
DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd
发现自己面临同样的问题,我只是想我会重新讨论问题的实际原因(实际上隐藏在评论中):
最后的评论让我想到了真正的问题。我没有意识到节点实际上是造成这个问题的原因。请将node localhost行(8)更改为Node $ AllNodes.NodeName,将NodeName =“*”更改回NodeName =“localhost”
通过PSDesiredStateConfiguration.psm1中的框架代码,PSDscAllowPlainTextPassword标志将不会被看到,除非$machineName = localhost(在我们的例子中它实际上是一个完全合格的机器名称和非完全合格的机器名称)。
我也偶然发现了一个没有文档的解决方法(不是我一定建议使用它) - 实际上可以使用以下注册表项关闭对明文凭据的检查:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\DSC]
"PSDscAllowPlainTextPassword"="True"
"PSDscAllowDomainUser"="True"
希望这可能会让别人有些头疼!