xWebapppool will not compile using identitytype gMSA

[signalwarrant]

ISSUE TITLE:
'xwebapppool: Short description of my issue'

ISSUE DESCRIPTION (this template):

I would like to create an App Pool for a DSC Pull server running on Server 2019 that's connecting to a SQL Server 2019 backend that's running on Server 2019 as well. I want to authenticate to the DB using a gMSA, not SQL Authentication. I don't see a way to compile a configuration with the xwebapppool resource using the gMSA username format. I keep getting the error below.

I can manually edit the LCM mof and set the identitytype to "mylab\SQLsvcAccount$", reapply the LCM config and everything works fine.

xWebAdministration\xWebAppPool : At least one of the values 'mylab\SQLsvcAccount$' is not supported or valid for property 'identityType' on class 'xWebAppPool'. Please
specify only supported values:
ApplicationPoolIdentity, LocalService, LocalSystem, NetworkService, SpecificUser.
At line:78 char:9
xWebAppPool DSCPool
CategoryInfo : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
FullyQualifiedErrorId : UnsupportedValueForProperty,xWebAdministration\xWebAppPool

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration SecureWebPullServerWithSQLDatabase { 
    Param ( 
        [ValidateNotNullOrEmpty()]
        [ string ] $NodeName = 'localhost' ,
        
        [ValidateNotNullOrEmpty()]
        [ string ] $Thumbprint = " $( Throw "Provide a valid certificate thumbprint to continue" ) " , 
        
        [ValidateNotNullOrEmpty()]
        [ string ] $Guid = " $( Throw "Provide a valid GUID to continue" ) " 
    )
    Import-DscResource -ModuleName PSDesiredStateConfiguration, xPSDesiredStateConfiguration, xWebAdministration
    
    Node $NodeName 
    { 
        LocalConfigurationManager
        {
            ActionAfterReboot       = 'ContinueConfiguration'
            ConfigurationMode       = 'ApplyandAutoCorrect'
            RebootNodeIfNeeded      = $false
            AllowModuleOverwrite    = $true
            CertificateID           = $ThumbPrint
        }   
        # https://docs.microsoft.com/en-us/powershell/dsc/pull-server/secureserver
        # The next series of settings disable SSL and enable TLS, for environments where that is required by policy.
        Registry TLS1_2ServerEnabled
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
            ValueName   = 'Enabled'
            ValueData   = 1
            ValueType   = 'Dword'
        } # end resource
            
        Registry TLS1_2ServerDisabledByDefault
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
            ValueName   = 'DisabledByDefault'
            ValueData   = 0
            ValueType   = 'Dword'
        } # end resource

        Registry TLS1_2ClientEnabled
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
            ValueName   = 'Enabled'
            ValueData   = 1
            ValueType   = 'Dword'
        } # end resource
        
        Registry TLS1_2ClientDisabledByDefault
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
            ValueName   = 'DisabledByDefault'
            ValueData   = 0
            ValueType   = 'Dword'
        } # end resource
        
        Registry SSL2ServerDisabled
        {
            Ensure      = 'Present'
            Key         = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'
            ValueName   = 'Enabled'
            ValueData   = 0
            ValueType   = 'Dword'
        }

        Windowsfeature DSCServiceFeature 
        { 
            Ensure = 'Present'
            Name = 'DSC-Service'
        }

        xWebAppPool DSCPool
        {
            Ensure = 'Present'
            Name = 'DSCPool'
            identityType = "mylab\SQLSvcAccount$"
            startMode = 'OnDemand'
            State = 'Started'
            DependsOn = '[WindowsFeature]DSCServiceFeature'

        }
        
        xDscWebService SecureWebPullServer 
        { 
            Ensure = 'Present'                
            EndpointName = 'PSDSCPullServer' 
            Port = 443 
            PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
            CertificateThumbPrint = $Thumbprint 
            ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
            ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
            State = 'Started'
            DependsOn = '[xWebAppPool]DSCPool' 
            RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
            AcceptSelfSignedCertificates = $false 
            UseSecurityBestPractices = $true 
            ApplicationPoolName = 'DSCPool'
            SqlProvider = $true 
            SqlConnectionString = 'Provider=MSOLEDBSQL;Server=sql.mylab.local;Database=dsc;Trusted_Connection=yes;Initial Catalog=master;Encrypt=yes;'
        }
                
        File RegistrationKeyFile 
        { 
            Ensure = 'Present'
            Type = 'File' 
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents = $Guid 
            DependsOn = '[xDscWebService]SecureWebPullServer' 
        } 

        Windowsfeature IISMGMTConsole 
        { 
            Ensure = 'Present'
            Name = 'Web-Mgmt-Console'
            DependsOn = '[xDscWebService]SecureWebPullServer' 
        }

        # Stop the default website
        xWebsite StopDefaultSite
        {
            Ensure         = 'Present'
            Name           = 'Default Web Site'
            State          = 'Stopped'
            PhysicalPath   = 'C:\inetpub\wwwroot'
            DependsOn      = '[WindowsFeature]DSCServiceFeature'
        } # end resource

        WindowsFeature IISScripting
         {
             Ensure         = 'Present'
             Name           = 'Web-Scripting-Tools'
             DependsOn      = '[xDSCWebService]SecureWebPullServer'
         } # end resource
    } 
}

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used

PSDesiredStateConfiguration 1.1
xPSDesiredStateConfiguration 9.1.0
xWebAdministration 3.1.1

[johlju]

For a resource to be able to support (g)MSA it needs to ignore the password part of the credential object (discussed and documented in the SqlServerDsc specific guidelines, credentials-that-does-not-have-password.

I see this resource do expect to set the password for the credential object so I suspect the resource need to be modified to handle (g)MSA.

[signalwarrant]

This scenario is documented in another issue from a few years ago #80, the workaround discussed there of passing a random password as part of the credential object for the gMSA does work to get the config to compile and config the server. It's just a bit wonky.