Please feel free to provide feedback or file bugs here.

Bug: DSC Decryption across Servers not Working

On 2 Fully Updated Windows Server 2016 Machines running and provisioned from Azure I have created a Pull Server Configuration. I have created the DSC Signing Certificate using a custom template on a Enterprise Root CA which has worked for 2012R2 nodes and also tested using xDSCUtils New-xSelfSignedDscEncryptionCertificate. Using the same Certificate to Compile and Execute the MOF on the same Computer works, it is only if you compile on one and execute on another that the problems arise.
I kept getting errors when passing in credentials. I therefore wrote a tiny custom DSC Resource that Displays the Password as clear text when I run Start-DSCConfiguration -Wait -Verbose
You can find it here https://gist.github.com/aboersch/65e846a4966fe2c4708ed21d655a54a7
The Client does not correctly decrypt the Credentials. As a Password I am receiving
-----BEGIN CMS-----
<Long Multi-Line Base64 String>
-----END CMS-----
If I pass this to Unprotect-CmsMessage I receive the correct Password.
The Certificate passes $_.PrivateKey.KeyExchangeAlgorithm and $_.Verify
I have tried changing the Certificate Provider to '"Microsoft Enhanced Cryptographic Provider v1.0"', '"Legacy Cryptographic Service Provider"', and '"Microsoft RSA SChannel Cryptographic Provider"'.
I have already tried these:
http://stackoverflow.com/questions/34006865/dsc-problems-with-credentials-and-build-10586
https://wespoint.wordpress.com/2017/01/19/powershell-dsc-encryption-issue/

1 vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Alexander BoerschAlexander Boersch shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base