Select to view content in your preferred language

Powershell DSC Encrypted Password File Error - The password cannot be null or empty

1485
2
06-20-2022 01:12 PM
DianaBenedict1
Occasional Contributor

All,

I have successfully installed and upgraded my Dev environment using Powershell DSC with a Three-server deployment - woot woot. Once I moved to our TEST environment, I realized that I should really follow best security practices and used the following documents/blogs to ensure that we were setting our DSC environments correctly. Not only is it best practice, I believe our TEST and PROD will not allow us to pass clear text, unprotected passwords for domain accounts. I found the following articles very useful in understanding how Powershell and ESRI DSC accomplish this:

https://blogs.infosupport.com/safely-using-pscredentials-in-a-powershell-dsc-configuration/

https://docs.microsoft.com/en-us/powershell/dsc/pull-server/secureMOF?view=dsc-1.1&viewFallbackFrom=...

https://devblogs.microsoft.com/powershell/want-to-secure-credentials-in-windows-powershell-desired-s...

After reviewing the Powershell explanations and reading the ESRI document HERE  I found that we needed to do the following in order to safely upgrade our UAT environment using ESRI ArcGIS Powershell DSC.

1) encrypting passwords for our Domain Service accounts and Cert export files so they are not clear text

2) using the new param options for encrypting the MOF file as described in the 

"TargetNodeEncyrptionCertificateFilePath":"C:\\Users\\<username>\\AppData\\Local\\Temp\\DscPublicKey-TargetNode1.cer",
"TargetNodeEncyrptionCertificateThumbprint":"92C232C78204701BEB3FFB2CDEF24A6D2FAA97DA

 

I no longer the received the common warnings when I run the Invoke-ArcGISConfiguration cmdlet. 

Error Message on the PortalUprade V2 Log files

6/17/2022 4:29:58 PM: The password supplied to the Desired State Configuration resource ArcGIS_Install is not valid. The password cannot be null or empty.
6/17/2022 4:29:58 PM: The SendConfigurationApply function did not succeed.

QUESTIONS:

  1. Are there other GroupPolicies and or Server settings that we should be aware of that would prevent the password from being passed?
  2. Is there a simple example for me to use so I can test the PWD encryption and MOF encryption are working correctly?
  3. I am using a domain account to invoke the cmdlet, this domain user has been temporarily added to local admin on each target machine. Are there other setting that I am missing?
  4. I attempted to use the -Credential option so I can RunAs the SA account (also domain account) I even used the  -UseSSL property but that did not seem to make a difference, other thoughts or suggestions?

@CameronKroeker - could really use either yours or others on the Powershell DSC Team. I met some of you during the past ESRI Dev summit and we discussed how I could get my environments installed and upgraded using Powershell. As stated above, it was so wonderful to see how easy and fast it was to upgrade our 3 servers using Powershell DSC for our DEV. I really want to get this working for our UAT/TEST and eventually our PROD environments.

Thanks in advance for any help you can provide.

Diana

0 Kudos
2 Replies
TheChad
New Contributor

It probably isn't you.   If you have updated Windows to the latest June patches, it breaks DSC credentials.  The easiest test here is to check if your server has the latest Windows Update (June cumulative) on it, and if so, uninstall, then run again.  

https://twitter.com/RobertBiddle/status/1538287531833303042

0 Kudos
DianaBenedict1
Occasional Contributor

I have not given up yet and have actually found the culprit to the error above. After working through many different scenarios I believe I have gotten to a point where I am now partially successful. Below is what I ended up doing:

  • requested our server team to digitally sign the entire all the powershell files in the ArcGIS Module folder
  • used the option to create the password files as needed
  • eliminated the new param options for encrypting the MOF file since this is what was causing the error. 

I would LOVE to be able use the options for encrypting the MOF files as these would help ensure a secure environment but for now, I think I will continue down the current road that I am at so that I can move in a forward direction. 

Again, please note that I am invoking the cmdlet from a different server than the 3 target servers. I believe I have done all the steps described in ESRI document but it is still not working.

Thought/suggestions greatly appreciated!

0 Kudos