I am trying to configure ADSF to use a wildcard SSL certificate
I can see the thumbprint of the cert:
C:\temp\SAML> dir cert:\Localmachine\My\
PSParentPath: Microsoft.PowerShell.Security\Certificate::Localmachine\My
Thumbprint Subject
---------- -------
950CB19E429B5A409FD9650B08E873B23FE1082D CN=*.mydomain.com
But when I try to install it as the SSL Certificate, I see the following error:
C:\temp\SAML> Set-AdfsSslCertificate -Thumbprint 950CB19E429B5A409FD9650B08E873B23FE1082D
Set-AdfsSslCertificate : PS0317: One or more of AD FS servers returned errors during execution of command
'Set-AdfsSslCertificate'. Error information: PS0316: AD FS Server: 'localhost', Error: 'The SSL certificate specified by
thumbprint 950CB19E429B5A409FD9650B08E873B23FE1082D does not have a subject name that matches the specified Federation
Service name: EC2AMAZ-0FBOMSR.adfs.mydomain.com'.
At line:1 char:1
+ Set-AdfsSslCertificate -Thumbprint 950CB19E429B5A409FD9650B08E873B23F ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-AdfsSslCertificate], RemoteException
+ FullyQualifiedErrorId :
RuntimeException,Microsoft.IdentityServer.Management.Commands.SetSslCertificateCommand
The error is about the wrong subject name. Shouldn't that be "CN="?
Is it a problem to use a wildcard?
No you cant use *.contoso.com for host.subdomain.contoso.com. * is for one level (host.contoso.com) not two as you are attempting.
Related
I'm trying to use Add-AppxProvisionedPackage to install a dependency appx package on my win10 tablet, but failed.
My win10's edition is enterprise and the version is 1803.
The script as bellow:
Add-AppxProvisionedPackage -Online -PackagePath
C:\Appx\SMP.UWP_10.7.1.1\Dependencies\x64\Microsoft.NET.CoreRuntime.1.1.appx" -SkipLicense
The error message like bellow:
Add-AppxProvisionedPackage : Unspecified error
At line:1 char:1
+ Add-AppxProvisionedPackage -Online -PackagePath "C:\Appx\SMP.UWP_10.7 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AppxProvisionedPackage], PSArgumentException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.AddAppxProvisionedPackageCommand
Please give me some advice, thank you very much.
Microsoft.NET.CoreRuntime.1.1.appx is DependencyPackage, not the application package.
Try this:
Add-AppxProvisionedPackage -Online -DependencyPackagePath "all_dependency_package_path" -PackagePath "appxbundle_or_msixbundle_path" -SkipLicense
Note:
Please fill the above command with a real path. There are usually three dependent packages, separated by ",".
After running the command, if there is an error like A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider., please install the certificate which in the package folder to Trusted Root Certification Authorities
Best regards.
I'm new to DSC and I've been trying for days now to have my meta-configuration working with an SMB pull server, to no avail.
Context:
Target nodes are Win 2012 R2 servers, members of a same domain
I can only use PS 4.0
I can't give read access to everyone on SMB share on pull server
I don't want to have pull mode relying on custom modules to be functional (only base PS 4.0 installation)
My authoring node is currently my test target node
I tried to use New-SelfsignedCertificateEx.ps1 but can't get it to run on my Windows 7
I'm using a self-signed certificate generated on Windows 10 with requested KUs and EKUs
My meta-configuration works with an SMB share without credentials (hosted by test target node itself / read access granted to everyone)
I've been searching the web but only found code examples or questions about credentials passed to a DSC resource. I haven't found an example of PS 4.0 code where a live PSCredential object (retrieved from Get-Credential cmdlet) gets encrypted on-the-fly to a meta-configuration mof.
I've tried to transpose numerous examples (including from here and here), but I'm unable to have my credentials encrypted and still get that well-known message each time:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'Credential' OF TYPE 'LocalConfigurationManager': Converting and
storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog:
http://go.microsoft.com/fwlink/?LinkId=393729
At line:190 char:16
+ $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Errors occurred while processing configuration 'MetaConfigurationForPull'.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2223 char:5
+ throw $errorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (MetaConfigurationForPull:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
Here's my code:
# Getting credentials for filer connection (CIFS share for pulling MOF files)
$cred = Get-Credential -Message 'Provide credentials for CIFS share hosting configuration files:'
Configuration MetaConfigurationForPull {
Param (
[PSCredential] $Credential
)
LocalConfigurationManager {
ConfigurationID = "f28a102c-71c9-43a1-abbb-a944ec7cb5cd";
CertificateID = $AllNodes.Thumbprint;
Credential = $Credential;
RefreshMode = "PULL";
RebootNodeIfNeeded = $false;
DownloadManagerName = "DscFileDownloadManager";
DownloadManagerCustomData = #{SourcePath = '\\smb_pull_server\smb_share\mofs\batch_server'};
}
}
$ConfigData= #{
AllNodes = #(
#{
# The name of the node we are describing
NodeName = "localhost"
# The path to the .cer file containing the
# public key of the Encryption Certificate
# used to encrypt credentials for this node
CertificateFile = "D:\node_rdp_cert.cer"
# The thumbprint of the Encryption Certificate
# used to decrypt the credentials on target node
Thumbprint = "d78334010df5dee5de1c7529e9419a4bb841e618"
};
);
}
MetaConfigurationForPull -Credential $cred -ConfigurationData $ConfigData -Output "D:\meta\batch_server"
I've also found that post which talks about some regression on PS 5.0 and where this guy states he had everything working like a charm on PS 4.0.
Am I missing something in the code above?
Any help would be much appreciated.
Thanks
As long as this is just a test environment, you can add:
PSDscAllowPlainTextPassword = $true
to your configuration.
Example: here.
I am attempting to Federate office 365 and use it as a Service Provider, but I can't seem to change the SigningCertificate information in the FederationSettings. I am trying to use this powershell command:
Set-MsolDomainAuthentication -IssuerUri $entity -LogOffUri $logout -PassiveLogOnUri $url -PreferredAuthenticationProtocol SAMLP -SigningCertificate $cert
This command only works if I remove -SigningCertificate $cert. And I can't change the SigningCertificate once I've set up federation either. Also I am not using ADFS. I really appreciate any help anyone can provide for why this won't work.
Error Message:
Set-MsolDomainAuthentication : Invalid value for parameter. Parameter Name:
.
At line:1 char:1
+ Set-MsolDomainAuthentication -IssuerUri $entity -LogOffUri $logout
-PassiveLogOn ...
CategoryInfo:OperationStopped: (:) [Set-MsolDomainAuthenticaion], MicrosoftOnlineException + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.ProprtyValidationException,Microsoft.Online.Administration.Automation.SetDomainAuthentication
In case anyone else finds themselves in this situation the answer is to make sure all the spaces are removed from the certificate string.
I am attempting to setup multiple VNet to VNet connections in Azure as described here: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-configure-vnet-to-vnet-connection/
I have 4 VNets
VNet-North
VNet-South
VNet-East
VNet-West
I have been trying to setup a star topology with a Domain Controller in the center like this:
I have successfully setup VNet-North to VNet-South in both directions.
When I try to connect VNet-North to VNet-East using this PoewerShell command:
PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-North -LocalNetworkSiteName VNet-East -SharedKey A1b2C3D4
It returns success
But when I try:
PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-East -LocalNetworkSiteName VNet-North -SharedKey A1b2C3D4
Set-AzureVNetGatewayKey : BadRequest: The specified local network site name 'VNet-North' is not valid or could not be found.
At line:1 char:1
+ Set-AzureVNetGatewayKey -LocalNetworkSiteName VNet-North -SharedKey AaBaCaDa -VNetN ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureVNetGatewayKey], CloudException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagement.IaaS.SetAzureVNetGatewayKey
Is a star topology possible?
Had the same problem, resolved by issuing Reset-AzureVNetGateway -VNetName "Name" against all parties having problem. This command will temporarily drop all connections on given VPN gateway, please use it with caution.
I want to deploy my application to azure with powershell. So far I have created a certificate in the localmachine store, I'm not going to run the deploy script as me, uploaded the script to azure. The next step is to get access to the service on azure in powershell but there it fails. The script I have so far is:
$cert = Get-Item Cert:\LocalMachine\deploy\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Set-AzureSubscription -SubscriptionName $subscriptionName -SubscriptionId $subscriptionId -Certificate $cert
Select-AzureSubscription $subscriptionName
$service = Get-AzureService $azureId
It fails on the last row with the following message:
Get-AzureService : Communication could not be established. This could be due to an invalid subscription ID. Note that subscription IDs are case sensitive.
At F:\DeployTest\deploy.ps1:9 char:12
+ $service = Get-AzureService $azureId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureService], Exception
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Management.ServiceManagement.HostedServices.GetAzureServiceCommand
Get-AzureService : HTTP Status Code: AuthenticationFailed - HTTP Error Message: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
Operation ID:
At F:\DeployTest\deploy.ps1:9 char:12
+ $service = Get-AzureService $azureId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureService], CommunicationException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Management.ServiceManagement.HostedServices.GetAzureServiceCommand
I really don't know what the problem is, the certificate I'm trying to use is uploaded so it feels like there is something fundamental I've missed.
Update: I did get it to work after downloading the .publishsettings-file and importing that instead of trying to use Set-AzureSubscription. I'm still a little bit confused though, shouldn't it be possible to use the method I tried above?
I finally found the problem, and of course it was a user problem. First when I was in the azure portal I didn't find where to upload the certificate, so I uploaded it to first place I found mentioning certificates. What I did found out was that this area was the wrong one, I uploaded the certificate to the certificate area under the cloud service I wanted to administrate, which is the wrong place.
The correct place to upload the certificate to is under settings in the admin portal of azure. So the code above works if the certificate is uploaded to the correct location.