Certificate request not working in 2012R2 as it did in 2016

[jthompson333]

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer YTHJK-ES-1 with user sid
S-1-5-21-4238065118-3723846887-562607489-500.
VERBOSE: [YTHJK-ES-1]: LCM: [ Start Set ]
VERBOSE: [YTHJK-ES-1]: LCM: [ Start Resource ] [[CertReq]SSLCert]
VERBOSE: [YTHJK-ES-1]: LCM: [ Start Test ] [[CertReq]SSLCert]
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Test-TargetResource: Testing Certificate with
Subject 'CN=YTHJK-ES-1.bvt.local' issued by YTHJK-DC-1.bvt.local\bvt-YTHUK-DC-1-CA.
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Test-TargetResource: No valid certificate found
with subject 'CN=YTHJK-ES-1.bvt.local' issued by YTHJK-DC-1.bvt.local\bvt-YTHUK-DC-1-CA.
VERBOSE: [YTHJK-ES-1]: LCM: [ End Test ] [[CertReq]SSLCert] in 0.0310 seconds.
VERBOSE: [YTHJK-ES-1]: LCM: [ Start Set ] [[CertReq]SSLCert]
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Set-TargetResource: Starting Certificate request
with Subject 'YTHJK-ES-1.bvt.local' issued by YTHJK-DC-1.bvt.local\bvt-YTHUK-DC-1-CA.
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Set-TargetResource: Creating certificate request
'C:\Windows\TEMP\xCertReq-5578fa69-3dd3-4b99-be3c-d79a0169bab7.req' from
'C:\Windows\TEMP\xCertReq-5578fa69-3dd3-4b99-be3c-d79a0169bab7.inf'.
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Set-TargetResource: Create certificate request
result: Active Directory Enrollment Policy
{AE50C422-1B3C-4F8C-A9EE-5DD749ED747D}
ldap:

CertReq: Request Created
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Set-TargetResource: Submitting certificate request
'C:\Windows\TEMP\xCertReq-5578fa69-3dd3-4b99-be3c-d79a0169bab7.req' returning
'C:\Windows\TEMP\xCertReq-5578fa69-3dd3-4b99-be3c-d79a0169bab7.cer' issued by YTHJK-DC-1.bvt.local\bvt-YTHUK-DC-1-CA.
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Set-TargetResource: Submitting certificate request
using separate process.
VERBOSE: [YTHJK-ES-1]: [[CertReq]SSLCert] Set-TargetResource: Submitting certificate request
result: Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
VERBOSE: [YTHJK-ES-1]: LCM: [ End Set ] [[CertReq]SSLCert] in 5.7660 seconds.
PowerShell DSC resource MSFT_CertReq failed to execute Set-TargetResource functionality with error message:
System.InvalidOperationException: Certificate file 'C:\Windows\TEMP\xCertReq-5578fa69-3dd3-4b99-be3c-d79a0169bab7.cer'
not found.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost

VERBOSE: [YTHJK-ES-1]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 5.97 seconds

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here
configuration CertRequest
{
    param
    (
        [Parameter()]
        [System.String[]]
        $NodeName = 'localhost',

        [Parameter()][ValidateNotNullorEmpty()]        
        [string]$CARootName,
    
        [Parameter()][ValidateNotNullorEmpty()]        
        [string]$CAServerFQDN,
    
        [Parameter()][ValidateNotNullorEmpty()]        
        [string]$Subject,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullorEmpty()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    Import-DscResource -ModuleName CertificateDsc

    Node $AllNodes.NodeName
    {
        CertReq SSLCert
        {
            CARootName          = $CARootName
            CAServerFQDN        = $CAServerFQDN
            Subject             = $Subject
            KeyLength           = '2048'
            Exportable          = $true
            ProviderName        = '"Microsoft RSA SChannel Cryptographic Provider"'
            OID                 = '1.3.6.1.5.5.7.3.1'
            KeyUsage            = '0xa0'
            CertificateTemplate = 'WebServer'
            AutoRenew           = $true
            FriendlyName        = 'Citrix SSL Cert for CVAD'
            Credential          = $Credential
        }
    }
}

#### The operating system the target node is running
<!--
    Please provide as much as possible about the target node, for example
    edition, version, build and language.
    On OS with WMF 5.1 the following command can help get this information.

    Get-ComputerInfo -Property @(
        'OsName',
        'OsOperatingSystemSKU',
        'OSArchitecture',
        'WindowsVersion',
        'WindowsBuildLabEx',
        'OsLanguage',
        'OsMuiLanguages')
OsName               : Microsoft Windows Server 2012 R2 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 9600.19153.amd64fre.winblue_ltsb.180908-0600
OsLanguage           : en-US
OsMuiLanguages       : {en-US}
-->

#### Version and build of PowerShell the target node is running
<!--
    To help with this information, please run this command:
    $PSVersionTable
-->
Name                           Value
----                           -----
PSVersion                      5.1.14409.1005
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1005
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

#### Version of the DSC module that was used ('dev' if using current dev branch)
Current Stable version, as far as I know.  Just used the install module command after updating powershell.

I confess I'm a bit new at this.  I probably have not included all logs that you need.
I will check back accordingly.

[PlagueHO]

Hi @jthompson333 - thanks for raising this. Just to make sure I'm on the right track, are you saying the config works OK on WS 2016, but doesn't work on WS 2012R2?

Does the WebServer certificate template exists on the CA and the $Credential contains a valid Domain account that has access to issue using the WebServer template? Usually we get this sort of error when there is a problem issuing the certificate using the generated .req file which is more often than not an access issue.

[jthompson333]

Yes, to confirm it did work on WS 2016 but not on WS 2012R2

Let me check on those items and I will get back to you.

The domain was built with automation and the CA was setup with the sister powershell dsc library AdcsCertificationAuthority.

I'm also on vacation, so I may not get back to responding on this until Tuesday. Sorry, I guess I should have waited a little longer to report. Thanks for the feedback. I won't forget about it...

[PlagueHO]

If you can get some details on the template you've got setup in your WS2012R2 machine then I can try and replicate it here on my lab.

[jthompson333]

By default it seems the CA install doesn't set all the permissions for Domain Admins...

However, its the same on 2016 as well and the request worked.

[jthompson333]

Params for both CA's were installed with these options from the ActiveDirectoryCSDsc module.
So the default WebServer template was used with this install

Configuration SetupAndInstallCA
{
    param
    (
        [Parameter()]
        [System.String[]]
        $NodeName = 'localhost',

        [Parameter(Mandatory = $true)]
        [ValidateNotNullorEmpty()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    #Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -Module ActiveDirectoryCSDsc

    Node $AllNodes.NodeName
    {
        WindowsFeature ADCS-Cert-Authority
        {
            Ensure = 'Present'
            Name   = 'ADCS-Cert-Authority'
        }

        AdcsCertificationAuthority CertificateAuthority
        {
            IsSingleInstance = 'Yes'
            Ensure           = 'Present'
            Credential       = $Credential
            CAType           = 'EnterpriseRootCA'
            DependsOn        = '[WindowsFeature]ADCS-Cert-Authority'
        }
    }
}

[jthompson333]

From 2012 R2 DC

PS C:\Users\Administrator> Get-CATemplate -Verbose
VERBOSE: Retrieving local certification authority configuration.
VERBOSE: Preparing the "YTHJK-DC-1.bvt.local\bvt-YTHJK-DC-1-CA" certification authority configuration.
VERBOSE: Retrieving templates for certification authority.

Name                           Oid
----                           ---
DirectoryEmailReplication      1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.29
DomainControllerAuthentication 1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.28
KerberosAuthentication         1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.33
EFSRecovery                    1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.8
EFS                            1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.6
DomainController               1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.15
WebServer                      1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.16
Machine                        1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.14
User                           1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.1
SubCA                          1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.18
Administrator                  1.3.6.1.4.1.311.21.8.6389841.3442508.1261732.14491001.11690483.143.1.7

From 2016 DC

PS C:\users\public> Get-CATemplate -Verbose
VERBOSE: Retrieving local certification authority configuration.
VERBOSE: Preparing the "testdc1.testcerts.io\testcerts-TESTDC1-CA" certification authority configuration.
VERBOSE: Retrieving templates for certification authority.

Name                           Oid
----                           ---
DirectoryEmailReplication      1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.29
DomainControllerAuthentication 1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.28
KerberosAuthentication         1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.33
EFSRecovery                    1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.8
EFS                            1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.6
DomainController               1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.15
WebServer                      1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.16
Machine                        1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.14
User                           1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.1
SubCA                          1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.18
Administrator                  1.3.6.1.4.1.311.21.8.5538339.9772982.13911702.4650013.2469579.129.1.7

[jthompson333]

2012 DC Info (CA Templates)

2016 DC Info (CA Templates)

[jthompson333]

Not sure if thats the info that you were looking for, but, let me know if its not.

[PlagueHO]

Great info @jthompson333 - can you see who has Enroll permissions on the Security tab on these templates? You need to ensure that the $Credential you're passing to your config has access on the Security tag as an Enroll.

E.g.

Other ways you can check this is log onto the server you're applying the DSC config to using the account specified in $Credential and try issuing the certificate using certreq.exe (or even CertMgr.msc) for the WebServer Template. If you can do this then it probably isn't a security issue as I thought and we can track it down from there.

Does that make sense?

[jthompson333]

ok. I haven't tried certreq.exe yet.

Domain admins which are the creds I'm passing in, (its just the default domain admin account) has enroll permissions, but, the authenticated users does not. 2016 DC looks the same as well.

[jthompson333]

I'll try certreq.exe or the gui and see what happens.

[jthompson333]

So the project I'm working on- I was just told not to waste time with 2012 R2. So I suppose you can archive this off, as I won't have anymore time to mess with it. Never got to try certreq.exe...

[wh33ly]

I had a similar error when when the "Domain account" I passed in "dsc_credential" wasn't a local administrator on the machine where I requested it created the request from.

[PlagueHO]

Thanks @wh33ly - I am fairly sure this issue is related to an access issue as you surmise. We probably could do some more work on detecting and reporting likely causes back to the user, which is why I've left this open for now.