Error processing property 'Credential' OF TYPE 'PfxImport'

[Harshinee]

ISSUE TITLE:
PfxImport: Error processing property 'Credential' OF TYPE 'PfxImport''

ISSUE DESCRIPTION (this template):
I'm trying to import a certificate using PfxImport. Fails with the following error,

System.InvalidOperationException error processing property 'Credential' OF TYPE 'PfxImport': Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.80.0.0\DSCWork\NodeComponentDscNoKevlar.0\InstallExtensions.ps1:36 char:9 + PfxImport Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Unable to find type [System.Net.Http.HttpClient]. Unable to find type [System.Net.Http.HttpClient]. Unable to find type [Microsoft.PowerShell.Commands.PowerShellGet.Telemetry]. Another common error is to specify parameters of type PSCredential without an explicit type. Please be sure to use a typed parameter in DSC Configuration, for example: configuration Example { param([PSCredential] $UserAccount) ... }. Please correct the input and retry executing the extension.

The operating system the target node is running

OsName               : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.3442.amd64fre.rs1_release.191219-1727

Version and build of PowerShell the target node is running

    Name                           Value
----                           -----
PSVersion                      5.1.14393.3383
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.3383
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

4.7.0.0

I have attached my dsc configuration file for reference.
InstallExtensions.txt

[PlagueHO]

Hi @Harshinee,
By default DSC doesn't allow passwords/credentials in config files to be stored in plain text - which is what is going to happen here. So the message you're seeing is telling you that you either need to encrypt the MOF file or tell DSC that you want to allow plain text passwords/credentials. This page details the process of either encrypting the MOF or allowing plaintext passwords (recommend encrypting the MOF for production systems):
https://docs.microsoft.com/en-nz/powershell/scripting/dsc/pull-server/securemof?view=powershell-7

[Harshinee]

I have another question about installing the module. I tried a few things,

1. Import using ' Import-DSCResource -ModuleName CertificateDsc'. I get this error, Could not find the module 'CertificateDsc'.
2. Find-Module -Name CertificateDsc -Repository PSGallery | Install-Module -Force
   This fails because the Nuget version needs to be updated looks like. For this, I added the 'Install-PackageProvider -Name NuGet -Force' before the import and that doesn't work.

[PlagueHO]

Hi @Harshinee - Ok, here's my suggestions:

1. Don't install the modules in the Configuration - install them by the code that calls the Configuration.
2. The second issue is not related to DSC. This is making sure PowerShell has the files neccessary to download modules from the PowerShell Gallery. The update/installation of the Nuget package provider the first time installing a module (any module) from the PS Gallery will do this. You need to automate this.

If there is an error Installing the Nuget Package Provider then you have bigger problems than DSC (it is a problem with the PowerShell setup on your machine) - so you'll need to fix that first. There will be lots of solutions around the internet for this depending on what error you're seeing.

Finally, I'd question, are you compiling the DSC Config on the node you're planning to deploy the configuration to or are you doing it on a different machine? Generally if you're compiling on one machine and then deploying the MOF to another machine (e.g. using a DSC Pull server or Azure DSC Extension) then you'll be getting the DSC Resource modules onto the machine another way.

But I'd expect your script to be more like:

Configuration NodeComponentsDsc
{
    param (
        [System.Management.Automation.PSCredential]$SPSecret,
        [System.Management.Automation.PSCredential]$SasToken,
        $TenantId,
        $ApplicationId,
        $KeyVaultName,
        $TorusCertificateName,
        $KevlarCertificateName,
        $StorageAccountName,
        $ContainerName,
        $NugetPackageBlobName,
        $KevlarSettingsBlobName,
        $HnsProxyBlobName,
        $ScriptsBlobName
    )
    

    $Logfile = "C:\InstallExtensions.log"
 
    Start-Transcript -Path $Logfile
    Write-Output 'Writing some text to the log file'

    Import-DSCResource -ModuleName PSDesiredStateConfiguration
    Import-DSCResource -ModuleName CertificateDsc

    Node ($env:COMPUTERNAME)
    {
        # Removed for brevity   
    }
}

# Install dependent modules
Find-Module -Name CertificateDsc -Repository PSGallery | Install-Module -Force

# Compile the MOF
NodeComponentsDsc `
    -OutputPath 'C:\Whereever\' `
    -SPSecret $SPSecret `
    -SasToken $SasToken `
...

Note: if you're deploying this to Azure via the DSC Extension, this won't work (as you just want to include the Config and the Modules need to be included in the zip file as is). If you are trying to install this into an Azure VM, let me know - because I've been meaning to write a blog post on doing this because the docs aren't as clear as they could be.

[PlagueHO]

Hi @Harshinee - can I close this one?