(WMF 4) Get-DscConfiguration fails to decrypt more than one credential
Assume you have a DSC configuration which uses two or more resources, each of them having a PSCredential property. The credentials are encrypted using a certificate. The configuration is applied successfully to the target node. However, Get-DscConfiguration fails with the following error message:
Get-DscConfiguration : Decryption failed.
At line:1 char:1
+ CategoryInfo : NotSpecified: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Get-DscConfiguration], CimException
+ FullyQualifiedErrorId : Windows System Error -2146893819,Get-DscConfiguration
Analyzing the problem using a trivial resource which only writes diagnostic messages, it seems the credentials are correctly decrypted for the first resource, but the LCM fails to decrypt them for the second resource (the order that matters is the physical order of definitions in Current.mof). Here is the code of the resource, the configuration and console output: https://gist.github.com/jberezanski/67d7bea37184407ebe9d
The problem has been fixed in WMF 5.0, but due to the breaking change regarding encryption certificates (requiring a new EKU), upgrading to WMF 5.0 is not an easy option for us right now. I'm hoping for a fix in WMF 4.0.
Jakub Bereżański commented
The issue was found on a fully patched (as of 2016-03-17) Windows Server 2012 R2, installed from the SW_DVD9_Windows_Svr_Std_and_DataCtr_2012_R2_64Bit_English_-4_MLF_X19-82891.iso volume license image.