SharePointDSC parameter PsDscRunAsCredential with Kerberos

[jn bedag]

Hi

According to the documentation, for SharePointDCS modules to work, we have to specify PsDscRunAsCredentials in win_dcs module:

- name: set shell admin for farmaccount
  win_dsc:
    resource_name: SPShellAdmins
    IsSingleInstance: "Yes"
    MembersToInclude: "farmadmin_user"
    AllDatabases: true
    PsDscRunAsCredential_username: '{{ ansible_user }}'
    PsDscRunAsCredential_password: '{{ ansible_password }}'

But we're running ansible with a kerberos configuration with our personal serveradmin user:

ansible_user="<personaladmin>@domain.local"
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_winrm_kerberos_delegation=true

Therefore ansible_password does not work.

And we can't specify a seperate user, because this user would have to be member of the SPShellAdmins, which is not possible because we can't specify a seperate user ;-)

Omitting these parameters does not work either.

So we must be able to run the module with the personal serveradmin account, only this account is member of the SPShellAdmins at this moment.

Is there a way to tell PsDscRunAsCredentials somehow to take the kerberos credentials?

Or is there another approach for this?

Thank you very much

[Jordan Borean]

Unfortunately no, the DSC engine requires explicit username and password and cannot be configured to run using an existing access token. It is probably needed because the DSC engine runs each task as the SYSTEM account so any network authentication will appear as it came from the AD computer account. By setting explicit PSDSCRunAsCredential you tell the engine to use those credentials instead.