DSC: Should allow Credentials with Blank Passwords, so you can use GMSA accounts
For some reason DSC errors out with a credential object contains a null password. Unfortunately that is the mechanism use to set group managed service accounts.
Here is a link to a relevant bug in xWebAdministration: https://github.com/PowerShell/xWebAdministration/issues/80#issuecomment-171364644
And here is an example of the output your recieve when you attempt to use a managed service account:
"VERBOSE: [COMPUTERNAME]: LCM: [ End Test ] [[xWebAppPool]testpool] in 0.0070 seconds.
The password supplied to the Desired State Configuration resource MSFT_xWebAppPool is not valid. The password cannot be null or empty.
+ CategoryInfo : InvalidResult: (:) , CimException
+ FullyQualifiedErrorId : InvalidPassword
+ PSComputerName : localhost
Thanks for the feedback! I have personally heard this request from a number of customers. IMHO having the ability to use GMS accounts would be a quite useful in DSC configurations. If this is an important feature for you as well, vote it up so that we can appropriately prioritize it as we move forward.
Nicholas Reilingh commented
This also needs to be fixed for certificate encryption of credentials — currently decryption "fails" if a credential with a blank password is passed across to the target node in a MOF file. See further discussion in this issue: https://github.com/PowerShell/SqlServerDsc/issues/378
Daniel Scott-Raynsford commented
I also have an issue I can't resolve in xComputerManagement because of this issue : https://github.com/PowerShell/xComputerManagement/issues/130.
I could work around it with a breaking change (split the ExecuteAsCredential into separate parameters or put an "ugly" work around in place). But I'd rather not do this. Is there any update?
Ryan Bartram commented
This is something that has to be implemented in the resource. I can't see a way that DSC can overcome this. I implemented it a while ago into the then xSqlServer resource. https://github.com/PowerShell/SqlServerDsc/pull/285
Is there any update on this? We are using DSC alongside Puppet, whilst Puppet can run quite happily a gMSA, when it invokes DSC we hit a number of issues by not being able to use managed service accounts
Is it done yet ? This should have been a no brainer that we need to support gMSA's. Why would you try to promote the usage of regular accounts with all of their management overhead and security conserns ?
Edd Douse commented
I've been thinking about this since running into the problem myself. The thing I'm thinking now is to keep the behaviour of credentials not allowing blank passwords (because it's difficult to create a secure string on a blank object).
Instead, have the resources check the credential's username, if it ends in a $ symbol (required for Managed Service Accounts), ignore the password.
It's what I'm about to do, although I don't like changing the DSC resources from the gallery too much but I'll see if it works then submit a PR.