win_dsc - How to troubleshoot

247 views
Skip to first unread message

Justin Seiser

unread,
Jul 26, 2018, 12:45:44 PM7/26/18
to Ansible Project
- name: Install ADCS with sub features and management tools
  win_feature:
    name: Adcs-Cert-Authority
    state: present
    include_management_tools: yes
  register: win_feature

- name: reboot if installing Adcs-Cert-Authority feature requires it
  win_reboot:
  when: win_feature.reboot_required

- name: Add ActiveDirectoryCSDsc
  win_psmodule:
    name: ActiveDirectoryCSDsc
    state: present

- name: Configure AdcsCertificationAuthority Powershell DSC
  win_dsc:
    resource_name: AdcsCertificationAuthority
    IsSingleInstance: 'Yes'
    CAType: 'EnterpriseRootCA'
    CryptoProviderName: 'RSA#Microsoft Software Key Storage Provider'
    KeyLength: 2048
    HashAlgorithmName: 'SHA256'
    ValidityPeriod: 'Years'
    ValidityPeriodUnits: 99
    PsDscRunAsCredential_username: ' {{ ansible_user }}'
    PsDscRunAsCredentual_password: '{{ ansible_password }}'


TASK [internal/qa_env_dc : Configure AdcsCertificationAuthority Powershell DSC] *************************************************************************************************************************************************************
fatal: [10.0.136.5]: FAILED! => {"changed": false, "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running command \r\nstopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Cannot bind \r\nargument to parameter 'String' because it is null.\"\"\r\nAt line:65 char:5\r\n+     $output = $entrypoint.Run($payload)\r\n+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}



Im really just trying to re-create this powershell snippet I have been using.
# Configure ADCS LDAP Over SSL
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 99 -Credential $mycreds -Force:$true

Im not really sure how to troubleshoot that error coming back to me.


Jordan Borean

unread,
Jul 26, 2018, 4:04:48 PM7/26/18
to Ansible Project
I agree the error message is not the nicest, there's some work we can do to try and clean it up but basically this is the standard error we get after an unhandled exception is throw. Best practice is to get rid of everything up the "ErrorActionPreference" line which leads you with

Cannot bind
argument to parameter 'String' because it is null.\"\"
At line:65 char:5
+     $output = $entrypoint.Run($payload)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptMethodRuntimeException

The location is a bit of a misnomer due to the way we run the modules but basically it is saying a DSC parameter that expects a value is getting $null instead and failing. Looking very briefly at the docs for AdcsCertificationAuthority here https://github.com/PowerShell/ActiveDirectoryCSDsc/blob/dev/DSCResources/MSFT_AdcsCertificationAuthority/MSFT_AdcsCertificationAuthority.schema.mof. You can the following fields are required;
  • CAType
  • Credential
I can see you have defined the CAType but Credential is not. It sounds like instead of running the DSC resource as your ansible user, use the Credential_username/Credential_password itself.

Thanks

Jordan

Justin

unread,
Jul 26, 2018, 4:36:42 PM7/26/18
to ansible...@googlegroups.com
Isn't that what the ps run as credentials are? To replace the credential parameter?

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/G66iHzatZ3U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fc31d864-4364-42b0-b77e-645847aa5535%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jordan Borean

unread,
Jul 26, 2018, 5:16:25 PM7/26/18
to Ansible Project
They are/can be different, PsDscRunAsCredential is used to tell DSC what user to run the process as, other credential objects may be used for a special process by the module itself. One is read by DSC while the other is read by the DSC resource. They may achieve similar things but the scope of each are different. Also, there's a typo in your PsDscRunAsCredential example, not sure if that's the same in your actual task.

Thanks

Jordan
Reply all
Reply to author
Forward
0 new messages