Bug: DSC Decryption across Servers not Working
On 2 Fully Updated Windows Server 2016 Machines running and provisioned from Azure I have created a Pull Server Configuration. I have created the DSC Signing Certificate using a custom template on a Enterprise Root CA which has worked for 2012R2 nodes and also tested using xDSCUtils New-xSelfSignedDscEncryptionCertificate. Using the same Certificate to Compile and Execute the MOF on the same Computer works, it is only if you compile on one and execute on another that the problems arise.
I kept getting errors when passing in credentials. I therefore wrote a tiny custom DSC Resource that Displays the Password as clear text when I run Start-DSCConfiguration -Wait -Verbose
You can find it here https://gist.github.com/aboersch/65e846a4966fe2c4708ed21d655a54a7
The Client does not correctly decrypt the Credentials. As a Password I am receiving
<Long Multi-Line Base64 String>
If I pass this to Unprotect-CmsMessage I receive the correct Password.
The Certificate passes $.PrivateKey.KeyExchangeAlgorithm and $.Verify
I have tried changing the Certificate Provider to '"Microsoft Enhanced Cryptographic Provider v1.0"', '"Legacy Cryptographic Service Provider"', and '"Microsoft RSA SChannel Cryptographic Provider"'.
I have already tried these: