Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xWebapppool will not compile using identitytype gMSA #581

Open
signalwarrant opened this issue Jul 17, 2020 · 2 comments
Open

xWebapppool will not compile using identitytype gMSA #581

signalwarrant opened this issue Jul 17, 2020 · 2 comments
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.

Comments

@signalwarrant
Copy link

signalwarrant commented Jul 17, 2020
edited

ISSUE TITLE:
'xwebapppool: Short description of my issue'

ISSUE DESCRIPTION (this template):

I would like to create an App Pool for a DSC Pull server running on Server 2019 that's connecting to a SQL Server 2019 backend that's running on Server 2019 as well. I want to authenticate to the DB using a gMSA, not SQL Authentication. I don't see a way to compile a configuration with the xwebapppool resource using the gMSA username format. I keep getting the error below.

I can manually edit the LCM mof and set the identitytype to "mylab\SQLsvcAccount$", reapply the LCM config and everything works fine.

xWebAdministration\xWebAppPool : At least one of the values 'mylab\SQLsvcAccount$' is not supported or valid for property 'identityType' on class 'xWebAppPool'. Please
specify only supported values:
ApplicationPoolIdentity, LocalService, LocalSystem, NetworkService, SpecificUser.
At line:78 char:9
xWebAppPool DSCPool
CategoryInfo : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
FullyQualifiedErrorId : UnsupportedValueForProperty,xWebAdministration\xWebAppPool

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration SecureWebPullServerWithSQLDatabase { 
    Param ( 
        [ValidateNotNullOrEmpty()]
        [ string ] $NodeName = 'localhost' ,
        
        [ValidateNotNullOrEmpty()]
        [ string ] $Thumbprint = " $( Throw "Provide a valid certificate thumbprint to continue" ) " , 
        
        [ValidateNotNullOrEmpty()]
        [ string ] $Guid = " $( Throw "Provide a valid GUID to continue" ) " 
    )
    Import-DscResource -ModuleName PSDesiredStateConfiguration, xPSDesiredStateConfiguration, xWebAdministration
    
    Node $NodeName 
    { 
        LocalConfigurationManager
        {
            ActionAfterReboot       = 'ContinueConfiguration'
            ConfigurationMode       = 'ApplyandAutoCorrect'
            RebootNodeIfNeeded      = $false
            AllowModuleOverwrite    = $true
            CertificateID           = $ThumbPrint
        }   
        # https://docs.microsoft.com/en-us/powershell/dsc/pull-server/secureserver
        # The next series of settings disable SSL and enable TLS, for environments where that is required by policy.
        Registry TLS1_2ServerEnabled
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
            ValueName   = 'Enabled'
            ValueData   = 1
            ValueType   = 'Dword'
        } # end resource
            
        Registry TLS1_2ServerDisabledByDefault
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
            ValueName   = 'DisabledByDefault'
            ValueData   = 0
            ValueType   = 'Dword'
        } # end resource

        Registry TLS1_2ClientEnabled
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
            ValueName   = 'Enabled'
            ValueData   = 1
            ValueType   = 'Dword'
        } # end resource
        
        Registry TLS1_2ClientDisabledByDefault
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
            ValueName   = 'DisabledByDefault'
            ValueData   = 0
            ValueType   = 'Dword'
        } # end resource
        
        Registry SSL2ServerDisabled
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'
            ValueName   = 'Enabled'
            ValueData   = 0
            ValueType   = 'Dword'
        }

        Windowsfeature DSCServiceFeature 
        { 
            Ensure = 'Present'
            Name = 'DSC-Service'
        }

        xWebAppPool DSCPool
        {
            Ensure = 'Present'
            Name = 'DSCPool'
            identityType = "mylab\SQLSvcAccount$"
            startMode = 'OnDemand'
            State = 'Started'
            DependsOn = '[WindowsFeature]DSCServiceFeature'

        }
        
        xDscWebService SecureWebPullServer 
        { 
            Ensure = 'Present'                
            EndpointName = 'PSDSCPullServer' 
            Port = 443 
            PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
            CertificateThumbPrint = $Thumbprint 
            ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
            ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
            State = 'Started'
            DependsOn = '[xWebAppPool]DSCPool' 
            RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
            AcceptSelfSignedCertificates = $false 
            UseSecurityBestPractices = $true 
            ApplicationPoolName = 'DSCPool'
            SqlProvider = $true 
            SqlConnectionString = 'Provider=MSOLEDBSQL;Server=sql.mylab.local;Database=dsc;Trusted_Connection=yes;Initial Catalog=master;Encrypt=yes;'
        }
                
        File RegistrationKeyFile 
        { 
            Ensure = 'Present'
            Type = 'File' 
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents = $Guid 
            DependsOn = '[xDscWebService]SecureWebPullServer' 
        } 

        Windowsfeature IISMGMTConsole 
        { 
            Ensure = 'Present'
            Name = 'Web-Mgmt-Console'
            DependsOn = '[xDscWebService]SecureWebPullServer' 
        }

        # Stop the default website
        xWebsite StopDefaultSite
        {
            Ensure         = 'Present'
            Name           = 'Default Web Site'
            State          = 'Stopped'
            PhysicalPath   = 'C:\inetpub\wwwroot'
            DependsOn      = '[WindowsFeature]DSCServiceFeature'
        } # end resource

        WindowsFeature IISScripting
         {
             Ensure         = 'Present'
             Name           = 'Web-Scripting-Tools'
             DependsOn      = '[xDSCWebService]SecureWebPullServer'
         } # end resource
    } 
}

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used

PSDesiredStateConfiguration 1.1
xPSDesiredStateConfiguration 9.1.0
xWebAdministration 3.1.1
@johlju
Copy link
Member

johlju commented Jul 23, 2020

For a resource to be able to support (g)MSA it needs to ignore the password part of the credential object (discussed and documented in the SqlServerDsc specific guidelines, credentials-that-does-not-have-password.

I see this resource do expect to set the password for the credential object so I suspect the resource need to be modified to handle (g)MSA.

@johlju johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Jul 23, 2020
@signalwarrant
Copy link
Author

This scenario is documented in another issue from a few years ago #80, the workaround discussed there of passing a random password as part of the credential object for the gMSA does work to get the config to compile and config the server. It's just a bit wonky.

@johlju johlju mentioned this issue Jun 7, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johlju @signalwarrant