Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SqlSetup: Does not allow null or empty password for MSA #378

Closed
wasabii opened this issue Feb 9, 2017 · 6 comments · Fixed by #1576
Closed

SqlSetup: Does not allow null or empty password for MSA #378

wasabii opened this issue Feb 9, 2017 · 6 comments · Fixed by #1576
Labels
documentation The issue is related to documentation only.

Comments

@wasabii
Copy link

wasabii commented Feb 9, 2017

"The password supplied to the Desired State Configuration resource MSFT_xSQLServerSetup is not valid. The password cannot be null or empty.",

It should, for managed service accounts.

@johlju johlju added the bug The issue is a bug. label Feb 9, 2017
@johlju
Copy link
Member

johlju commented Feb 9, 2017

@wasabii Would you be so kind to post the configuration you are using? Without any sensitive information.

@johlju johlju changed the title xSQLServerSetup Does not allow null or empty password xSQLServerSetup: Does not allow null or empty password for MSA Feb 9, 2017
@wasabii
Copy link
Author

wasabii commented Feb 9, 2017

I don't think it matters. I solved the problem by creating a PSCredential with a single space as a password. It's sort of hacky, but it works. Previously I was using New-Object PSCredential("username", $null). That's when I got the error. Now I'm making a SecureString with a single space for the second param.

@johlju johlju added the help wanted The issue is up for grabs for anyone in the community. label Feb 10, 2017
@johlju johlju changed the title xSQLServerSetup: Does not allow null or empty password for MSA SqlSetup: Does not allow null or empty password for MSA Dec 22, 2017
@johlju
Copy link
Member

johlju commented Sep 14, 2018

This was discussed in Gitter, thanks @NReilingh! 🙂

@NReilingh was kind enough to provide the error message from LCM when passing an empty password into the credential object.

Using this compiles a configuration correctly.

$SqlProxyUserCredential = New-Object System.Management.Automation.PSCredential(
    $Node.SqlSetup.ProxyUserMSA,
    (New-Object System.Security.SecureString)
)

But applying the configuration it gives this error.

Job {E69E204B-B6C0-11E8-B215-00505697B552} : 
Message Cannot unprotect message. The input contained no encrypted content. Specify the '-IncludeContext' parameter if you wish to output the original content when no encrypted content is detected. 
HResult -2146233087 
StackTrack    at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at Microsoft.PowerShell.DesiredStateConfiguration.Internal.ResourceProviderAdapter.CMS_DecryptMessage(String thumbprint, String encryptedMessage, IStreamsHandler plugInStreamsHandler, String& outputResult, IntPtr& errorInstanceHandle)

And @NReilingh concludes

So: it’s a MOF file that uses certificate encryption for credentials, but since I use some credentials with empty securestrings, in the MOF these look like Password = “”; instead of Password = “-----BEGIN CMS-----\nblahblahblah

@johlju
Copy link
Member

johlju commented Sep 14, 2018

To use a (g)MSA with the credential objects (that support (g)MSA), any password need to passed into credential objects, but the username will only be used.

https://github.com/PowerShell/SqlServerDsc/blob/80172377320659488f0b45595264c29da58ae448/DSCResources/MSFT_SqlSetup/MSFT_SqlSetup.psm1#L2271-L2277

Since we can not change how LCM or MOF works in this repository, the only other way of solving this is to make separate parameters for (g)MSA, like what was done in dsccommunity/xPSDesiredStateConfiguration#441 for the xService resource.
But for the SqlSetup resource I do not think that is the way to go, since that would mean we have to add many more parameters, with even more logic.

I relabel this as a community discussion since this needs more voices if we should do a (breaking) change.

@johlju johlju added discussion The issue is a discussion. and removed bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Sep 14, 2018
@NReilingh
Copy link
Contributor

NReilingh commented Sep 14, 2018

I think on balance, if we can't get a change out of LCM/MOF, it's preferable to use the "bogus password" workaround than to reimplement as a separate parameter. We would then want to make sure that's consistent across this repository, and documented so people know what they need to do if they want to use MSAs.

At the same time, it would be good to reach consensus with other DSC Resources, and is it possible to raise some sort of issue with the team that owns the LCM? One could interpret this as a bug in the encryption/decryption mechanism or MOF format, since it's perfectly valid to create a PSCredential object with no password.

Edit: Here's a uservoice issue: https://windowsserver.uservoice.com/forums/301869-powershell/suggestions/13447689-dsc-should-allow-credentials-with-blank-passwords

@johlju
Copy link
Member

johlju commented Sep 21, 2018

I agree we should add this to the documentation. Labeling it as such.

@johlju johlju added help wanted The issue is up for grabs for anyone in the community. documentation The issue is related to documentation only. and removed discussion The issue is a discussion. labels Sep 21, 2018
@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Jun 26, 2020
johlju added a commit to johlju/SqlServerDsc that referenced this issue Jun 26, 2020
johlju added a commit to johlju/SqlServerDsc that referenced this issue Jun 26, 2020
johlju added a commit that referenced this issue Jul 1, 2020
- SqlServerDsc
  - Remove the file `.github/CONTRIBUTION.md` as it no longer filled any
    purpose as GitHub will find the CONTRIBUTION.md in the root folder
    directly now (issue #1227).
  - The documentation in CONTRIBUTING.md has been somewhat updated.
  - Update documentation around design pattern for accounts that does not
    use passwords (issue #378)
    and (issue #1230).
  - Updating the Integration Test README.md to better explain what the
    integration tests for SqlSetup, SqlRSSetup, and SqlRS does (issue #1315).
- SqlAGReplica
  - Update documentation with a requirement for SqlServer in certain circumstances
    (issue #1033).
- SqlRSSetup
  - There was a typo in the error message that was thrown when not passing
    either the `Edition` or `ProductKey` that could be misleading (issue #1386).
  - Updated the parameter descriptions for the parameters `Edition` and
    `ProductKey` that they are mutually exclusive (issue #1386).
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Jul 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation The issue is related to documentation only.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants