ActiveDirectoryCSDsc icon indicating copy to clipboard operation
ActiveDirectoryCSDsc copied to clipboard

Published 20 hours ago verified publisher icon dsccommunity

AdcsCertificationAuthority : Unable to setup EnterpriseSubordinateCA

Open msilveirabr opened this issue 2 years ago • 0 comments

Details of the scenario you tried and the problem that is occurring

When using this DSC with ansible, Offline Root CA setup runs fine, but EnterpriseSubordinateCA don´t . I tried to get this DSC to run as a PS script but I was unable to get it working ( my fault, not this DSC's )

Verbose logs showing the problem

This is the output of ansible runnig playbook with -vvv

TASK [windows : Windows | AdcsCertificationAuthority DSC | Configure AdcsCertificationAuthority] *********************************************************************************
task path: /etc/ansible/roles/windows/tasks/ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml:40
Monday 19 September 2022  16:25:15 -0300 (0:00:49.671)       0:16:19.242 ****** 
Using module file /home/ansible/.ansible/collections/ansible_collections/ansible/windows/plugins/modules/win_dsc.ps1
Pipelining is enabled.
<172.22.33.21> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5985 TO 172.22.33.21
EXEC (via pipeline wrapper)
ok: [172.22.33.21] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "CACommonName": "MyLDomain Enterprise CA 01",
            "CADistinguishedNameSuffix": "DC=ad,DC=mylocaldomain,DC=com,DC=br",
            "CAType": "EnterpriseSubordinateCA",
            "CertFile": null,
            "CertFilePassword_password": null,
            "CertFilePassword_username": null,
            "CertificateID": null,
            "Credential_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "Credential_username": "[email protected]",
            "CryptoProviderName": "RSA#Microsoft Software Key Storage Provider",
            "DatabaseDirectory": null,
            "DependsOn": null,
            "Ensure": "Present",
            "HashAlgorithmName": "SHA256",
            "IgnoreUnicode": null,
            "IsSingleInstance": "Yes",
            "KeyContainerName": null,
            "KeyLength": 2048,
            "LogDirectory": null,
            "OutputCertRequestFile": "C:\\subca-eca01.req",
            "OverwriteExistingCAinDS": true,
            "OverwriteExistingDatabase": null,
            "OverwriteExistingKey": null,
            "ParentCA": null,
            "PsDscRunAsCredential_password": null,
            "PsDscRunAsCredential_username": null,
            "ValidityPeriod": "Years",
            "ValidityPeriodUnits": 5,
            "module_version": "latest",
            "resource_name": "AdcsCertificationAuthority"
        }
    },
    "module_version": "5.0.0",
    "reboot_required": false,
    "verbose_test": [
        "Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceTest,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.",
        "An LCM method call arrived from computer ECA01 with user sid S-1-5-21-967091583-3247568768-1330645744-1000.",
        "[ECA01]: LCM:  [ Start  Test     ]  [[AdcsCertificationAuthority]DirectResourceAccess]",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: Testing ADCS EnterpriseSubordinateCA Status.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Calling InitializeDefaults method on the setup object.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Certification Authority will be installed with a new key.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Setting the AllowAdministratorInteraction property to False.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Setting the CAType property to EnterpriseSubordinateCA.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Setting the ValidityPeriodUnits property to 5.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: ADCS EnterpriseSubordinateCA is installed and should be. Change not required.",
        "[ECA01]: LCM:  [ End    Test     ]  [[AdcsCertificationAuthority]DirectResourceAccess] True in 0.7500 seconds.",
        "[ECA01]: LCM:  [ End    Set      ]    in  0.7970 seconds.",
        "Operation 'Invoke CimMethod' complete.",
        "Time taken for configuration job to complete is 1.029 seconds"
    ]
}
META: role_complete for 172.22.33.21

The issue is that DSC thiks it is already OK: "[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: ADCS EnterpriseSubordinateCA is installed and should be. Change not required.",

Here are my roles/playbook tasks:

role: windows/ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml

---
#DOC: https://github.com/dsccommunity/ActiveDirectoryCSDsc/wiki/AdcsCertificationAuthority
- name: Windows | ActiveDirectoryCSDsc DSC |  Assert that ActiveDirectoryCSDsc module is installed
      community.windows.win_psmodule:
        name: ActiveDirectoryCSDsc
        #accept_license: true
        minimum_version: "5.0.0"
        repository: PSGallery
        state: present

- block:
    - name: Read CAPolicy.inf template
      set_fact:
        tpl_content: "{{ lookup('ansible.builtin.template', 'rootca_CApolicy.inf.j2') }}"
    - name: Create root CA CAPolicy.inf in host machine
      ansible.windows.win_copy:
        content: "{{ tpl_content }}"
        dest: C:\Windows\CAPolicy.inf
  when: adcs_catype == 'StandaloneRootCA'

- block:
    - name: Read CAPolicy.inf template
      set_fact:
        tpl_content: "{{ lookup('ansible.builtin.template', 'esca_CApolicy.inf.j2') }}"
    - name: Create CA CAPolicy.inf in host machine
      ansible.windows.win_copy:
        content: "{{ tpl_content }}"
        dest: C:\Windows\CAPolicy.inf
  when: adcs_catype == 'EnterpriseSubordinateCA'

- name: Enable ADCS Feature
  win_feature:
    name: ADCS-Cert-Authority
    include_management_tools: true #RSAT-ADCS

- name: Windows | AdcsCertificationAuthority DSC | Configure AdcsCertificationAuthority
  ansible.windows.win_dsc:
    resource_name: AdcsCertificationAuthority
    Ensure: Present
    IsSingleInstance: "Yes"
    CAType: "{{ adcs_catype }}" #one of EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA
    #Credential: "{{ adcs_creds }}" # Reuse winRM credentials
    Credential_username: "{{ adcs_username | default(ansible_user) }}"
    Credential_password: "{{ adcs_password | default(ansible_password) }}"
    CACommonName: "{{ adcs_cn }}"
    CADistinguishedNameSuffix: "{{ adcs_dnsuffix }}"
    CertFile: "{{ adcs_certfile | default(omit) }}"
    CertFilePassword: "{{ adcs_certpass | default(omit) }}"
    CertificateID: "{{ adcs_certid | default(omit) }}"
    CryptoProviderName: "{{ adcs_crypto_provider | default('RSA#Microsoft Software Key Storage Provider') }}"
    DatabaseDirectory: "{{ adcs_dbdir | default(omit) }}" # Default C:\Windows\System32\CertLog
    HashAlgorithmName: "{{ adcs_hash }}"
    IgnoreUnicode: "{{ adcs_ingore_unicode | default(omit) }}"
    KeyContainerName: "{{ adcs_key_container | default(omit) }}"
    KeyLength: "{{ adcs_keylength }}"
    LogDirectory: "{{ adcs_logdir | default(omit) }}" # Default C:\Windows\System32\CertLog
    OutputCertRequestFile: "{{ adcs_csr_file | default(omit) }}"
    OverwriteExistingCAinDS: "{{ adcs_overwrite_ca | default(omit) }}"
    OverwriteExistingDatabase: "{{ adcs_overwrite_db | default(omit) }}"
    OverwriteExistingKey: "{{ adcs_overwrite_key | default(omit) }}"
    ParentCA: "{{ adcs_parentca | default(omit) }}"
    ValidityPeriod: "{{ adcs_validity_period | default('Years') }}" #Hours, Days, Months, Years
    ValidityPeriodUnits: "{{ adcs_validity_units }}"

my playbook task session:

#    - name: Setup Enterprise CA ( Works fine )
#        ansible.windows.win_shell: |
#        Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa  -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithm SHA256 -CACommonName "{{ eca01_cn }}" -CADistinguishedNameSuffix "{{ domain_dn }}" -OutputCertRequestFile C:\subca-eca01.req -Force

    - name: Setup Enterprise CA ( does not work )
      include_role:
        name: windows
        tasks_from: ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml
      vars:
        adcs_catype: EnterpriseSubordinateCA
        adcs_username: "ansible@{{ guest_domain }}"
        adcs_password: "%MYtesting-P@$$w0rd"
#        adcs_overwrite_ca: true #tried to force with no effect
        adcs_cn: "{{ eca01_cn }}"
        adcs_dnsuffix: "{{ domain_dn }}"
        adcs_crypto_provider: "RSA#Microsoft Software Key Storage Provider"
        adcs_hash: SHA256
        adcs_keylength: 2048
        adcs_csr_file: C:\subca-eca01.req
        adcs_validity_period: Years
        adcs_validity_units: 5

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter OsOperatingSystemSKU : DatacenterServerEdition OsArchitecture : 64-bit WindowsVersion : 1809 WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434 OsLanguage : en-US OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

PSVersion 5.1.17763.2931 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.17763.2931 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

5.0.0

msilveirabr avatar Sep 20 '22 00:09 msilveirabr