AdcsCertificationAuthority : Unable to setup EnterpriseSubordinateCA

[msilveirabr]

Details of the scenario you tried and the problem that is occurring

When using this DSC with ansible, Offline Root CA setup runs fine, but EnterpriseSubordinateCA don´t .
I tried to get this DSC to run as a PS script but I was unable to get it working ( my fault, not this DSC's )

Verbose logs showing the problem

This is the output of ansible runnig playbook with -vvv

TASK [windows : Windows | AdcsCertificationAuthority DSC | Configure AdcsCertificationAuthority] *********************************************************************************
task path: /etc/ansible/roles/windows/tasks/ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml:40
Monday 19 September 2022  16:25:15 -0300 (0:00:49.671)       0:16:19.242 ****** 
Using module file /home/ansible/.ansible/collections/ansible_collections/ansible/windows/plugins/modules/win_dsc.ps1
Pipelining is enabled.
<172.22.33.21> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5985 TO 172.22.33.21
EXEC (via pipeline wrapper)
ok: [172.22.33.21] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "CACommonName": "MyLDomain Enterprise CA 01",
            "CADistinguishedNameSuffix": "DC=ad,DC=mylocaldomain,DC=com,DC=br",
            "CAType": "EnterpriseSubordinateCA",
            "CertFile": null,
            "CertFilePassword_password": null,
            "CertFilePassword_username": null,
            "CertificateID": null,
            "Credential_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "Credential_username": "[email protected]",
            "CryptoProviderName": "RSA#Microsoft Software Key Storage Provider",
            "DatabaseDirectory": null,
            "DependsOn": null,
            "Ensure": "Present",
            "HashAlgorithmName": "SHA256",
            "IgnoreUnicode": null,
            "IsSingleInstance": "Yes",
            "KeyContainerName": null,
            "KeyLength": 2048,
            "LogDirectory": null,
            "OutputCertRequestFile": "C:\\subca-eca01.req",
            "OverwriteExistingCAinDS": true,
            "OverwriteExistingDatabase": null,
            "OverwriteExistingKey": null,
            "ParentCA": null,
            "PsDscRunAsCredential_password": null,
            "PsDscRunAsCredential_username": null,
            "ValidityPeriod": "Years",
            "ValidityPeriodUnits": 5,
            "module_version": "latest",
            "resource_name": "AdcsCertificationAuthority"
        }
    },
    "module_version": "5.0.0",
    "reboot_required": false,
    "verbose_test": [
        "Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceTest,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.",
        "An LCM method call arrived from computer ECA01 with user sid S-1-5-21-967091583-3247568768-1330645744-1000.",
        "[ECA01]: LCM:  [ Start  Test     ]  [[AdcsCertificationAuthority]DirectResourceAccess]",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: Testing ADCS EnterpriseSubordinateCA Status.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Calling InitializeDefaults method on the setup object.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Certification Authority will be installed with a new key.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Setting the AllowAdministratorInteraction property to False.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Setting the CAType property to EnterpriseSubordinateCA.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Setting the ValidityPeriodUnits property to 5.",
        "[ECA01]:                            [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: ADCS EnterpriseSubordinateCA is installed and should be. Change not required.",
        "[ECA01]: LCM:  [ End    Test     ]  [[AdcsCertificationAuthority]DirectResourceAccess] True in 0.7500 seconds.",
        "[ECA01]: LCM:  [ End    Set      ]    in  0.7970 seconds.",
        "Operation 'Invoke CimMethod' complete.",
        "Time taken for configuration job to complete is 1.029 seconds"
    ]
}
META: role_complete for 172.22.33.21

The issue is that DSC thiks it is already OK:
"[ECA01]: [[AdcsCertificationAuthority]DirectResourceAccess] Test-TargetResource: ADCS EnterpriseSubordinateCA is installed and should be. Change not required.",

Here are my roles/playbook tasks:

role: windows/ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml

---
#DOC: https://github.com/dsccommunity/ActiveDirectoryCSDsc/wiki/AdcsCertificationAuthority
- name: Windows | ActiveDirectoryCSDsc DSC |  Assert that ActiveDirectoryCSDsc module is installed
      community.windows.win_psmodule:
        name: ActiveDirectoryCSDsc
        #accept_license: true
        minimum_version: "5.0.0"
        repository: PSGallery
        state: present

- block:
    - name: Read CAPolicy.inf template
      set_fact:
        tpl_content: "{{ lookup('ansible.builtin.template', 'rootca_CApolicy.inf.j2') }}"
    - name: Create root CA CAPolicy.inf in host machine
      ansible.windows.win_copy:
        content: "{{ tpl_content }}"
        dest: C:\Windows\CAPolicy.inf
  when: adcs_catype == 'StandaloneRootCA'

- block:
    - name: Read CAPolicy.inf template
      set_fact:
        tpl_content: "{{ lookup('ansible.builtin.template', 'esca_CApolicy.inf.j2') }}"
    - name: Create CA CAPolicy.inf in host machine
      ansible.windows.win_copy:
        content: "{{ tpl_content }}"
        dest: C:\Windows\CAPolicy.inf
  when: adcs_catype == 'EnterpriseSubordinateCA'

- name: Enable ADCS Feature
  win_feature:
    name: ADCS-Cert-Authority
    include_management_tools: true #RSAT-ADCS

- name: Windows | AdcsCertificationAuthority DSC | Configure AdcsCertificationAuthority
  ansible.windows.win_dsc:
    resource_name: AdcsCertificationAuthority
    Ensure: Present
    IsSingleInstance: "Yes"
    CAType: "{{ adcs_catype }}" #one of EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA, StandaloneSubordinateCA
    #Credential: "{{ adcs_creds }}" # Reuse winRM credentials
    Credential_username: "{{ adcs_username | default(ansible_user) }}"
    Credential_password: "{{ adcs_password | default(ansible_password) }}"
    CACommonName: "{{ adcs_cn }}"
    CADistinguishedNameSuffix: "{{ adcs_dnsuffix }}"
    CertFile: "{{ adcs_certfile | default(omit) }}"
    CertFilePassword: "{{ adcs_certpass | default(omit) }}"
    CertificateID: "{{ adcs_certid | default(omit) }}"
    CryptoProviderName: "{{ adcs_crypto_provider | default('RSA#Microsoft Software Key Storage Provider') }}"
    DatabaseDirectory: "{{ adcs_dbdir | default(omit) }}" # Default C:\Windows\System32\CertLog
    HashAlgorithmName: "{{ adcs_hash }}"
    IgnoreUnicode: "{{ adcs_ingore_unicode | default(omit) }}"
    KeyContainerName: "{{ adcs_key_container | default(omit) }}"
    KeyLength: "{{ adcs_keylength }}"
    LogDirectory: "{{ adcs_logdir | default(omit) }}" # Default C:\Windows\System32\CertLog
    OutputCertRequestFile: "{{ adcs_csr_file | default(omit) }}"
    OverwriteExistingCAinDS: "{{ adcs_overwrite_ca | default(omit) }}"
    OverwriteExistingDatabase: "{{ adcs_overwrite_db | default(omit) }}"
    OverwriteExistingKey: "{{ adcs_overwrite_key | default(omit) }}"
    ParentCA: "{{ adcs_parentca | default(omit) }}"
    ValidityPeriod: "{{ adcs_validity_period | default('Years') }}" #Hours, Days, Months, Years
    ValidityPeriodUnits: "{{ adcs_validity_units }}"

my playbook task session:

#    - name: Setup Enterprise CA ( Works fine )
#        ansible.windows.win_shell: |
#        Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCa  -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithm SHA256 -CACommonName "{{ eca01_cn }}" -CADistinguishedNameSuffix "{{ domain_dn }}" -OutputCertRequestFile C:\subca-eca01.req -Force

    - name: Setup Enterprise CA ( does not work )
      include_role:
        name: windows
        tasks_from: ActiveDirectoryCSDsc/AdcsCertificationAuthority.yml
      vars:
        adcs_catype: EnterpriseSubordinateCA
        adcs_username: "ansible@{{ guest_domain }}"
        adcs_password: "%MYtesting-P@$$w0rd"
#        adcs_overwrite_ca: true #tried to force with no effect
        adcs_cn: "{{ eca01_cn }}"
        adcs_dnsuffix: "{{ domain_dn }}"
        adcs_crypto_provider: "RSA#Microsoft Software Key Storage Provider"
        adcs_hash: SHA256
        adcs_keylength: 2048
        adcs_csr_file: C:\subca-eca01.req
        adcs_validity_period: Years
        adcs_validity_units: 5

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

---

PSVersion 5.1.17763.2931
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2931
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

5.0.0