DSC: Should allow Credentials with Blank Passwords, so you can use GMSA accounts

For some reason DSC errors out with a credential object contains a null password. Unfortunately that is the mechanism use to set group managed service accounts.
Here is a link to a relevant bug in xWebAdministration: https://github.com/PowerShell/xWebAdministration/issues/80#issuecomment-171364644

And here is an example of the output your recieve when you attempt to use a managed service account:

"VERBOSE: [COMPUTERNAME]: LCM: [ End Test ] [[xWebAppPool]testpool] in 0.0070 seconds.
The password supplied to the Desired State Configuration resource MSFT_xWebAppPool is not valid. The password cannot be null or empty.

+ CategoryInfo          : InvalidResult: (:) [], CimException

+ FullyQualifiedErrorId : InvalidPassword

+ PSComputerName        : localhost

128 votes

RandomChance shared this idea · Apr 15, 2016 · Flag idea as inappropriate… · Admin →

survey ·

Mark Gray responded · Jun 17, 2016

Thanks for the feedback! I have personally heard this request from a number of customers. IMHO having the ability to use GMS accounts would be a quite useful in DSC configurations. If this is an important feature for you as well, vote it up so that we can appropriately prioritize it as we move forward.

MarkG

6 comments

An error occurred while saving the comment

Nicholas Reilingh commented · September 14, 2018 8:45 AM · Flag as inappropriate

This also needs to be fixed for certificate encryption of credentials — currently decryption "fails" if a credential with a blank password is passed across to the target node in a MOF file. See further discussion in this issue: https://github.com/PowerShell/SqlServerDsc/issues/378

Submitting...
Daniel Scott-Raynsford commented · March 6, 2018 10:58 AM · Flag as inappropriate

I also have an issue I can't resolve in xComputerManagement because of this issue : https://github.com/PowerShell/xComputerManagement/issues/130.

I could work around it with a breaking change (split the ExecuteAsCredential into separate parameters or put an "ugly" work around in place). But I'd rather not do this. Is there any update?

Submitting...
Ryan Bartram commented · February 15, 2018 2:42 PM · Flag as inappropriate

This is something that has to be implemented in the resource. I can't see a way that DSC can overcome this. I implemented it a while ago into the then xSqlServer resource. https://github.com/PowerShell/SqlServerDsc/pull/285

Submitting...
Anonymous commented · October 6, 2017 12:43 AM · Flag as inappropriate

Is there any update on this? We are using DSC alongside Puppet, whilst Puppet can run quite happily a gMSA, when it invokes DSC we hit a number of issues by not being able to use managed service accounts

Submitting...
CJ commented · February 27, 2017 9:55 AM · Flag as inappropriate

Is it done yet ? This should have been a no brainer that we need to support gMSA's. Why would you try to promote the usage of regular accounts with all of their management overhead and security conserns ?

Submitting...
Edd Douse commented · June 8, 2016 2:13 AM · Flag as inappropriate

I've been thinking about this since running into the problem myself. The thing I'm thinking now is to keep the behaviour of credentials not allowing blank passwords (because it's difficult to create a secure string on a blank object).

Instead, have the resources check the credential's username, if it ends in a $ symbol (required for Managed Service Accounts), ignore the password.

It's what I'm about to do, although I don't like changing the DSC resources from the gallery too much but I'll see if it works then submit a PR.

Submitting...