DSC Agent failed... The underlying error is: The attempt to register DSC Agent

Tagged: 

This topic contains 12 replies, has 2 voices, and was last updated by Profile photo of Fredrik Kacsmarck Fredrik Kacsmarck 1 week, 6 days ago.

  • Author
    Posts
  • #58597
    Profile photo of Viral Patel
    Viral Patel
    Participant

    Hi,

    We seem to have issues on a new Pull DSC server setup. (Running on Windows Server 2016 Core). We keep having the

    "DSC Agent failed... The underlying error is: The attempt to register DSC Agent"

    It works great for a day then we have issues nodes trying to register to the pull server. I'm wondering there is a bug or something.

    Below is DSC Config

    
    Configuration PullServer
    { 
        param  
        ( 
                [string[]]$NodeName = 'localhost', 
    
                [ValidateNotNullOrEmpty()] 
                [string] $certificateThumbPrint,
    
                [Parameter(Mandatory)]
                [ValidateNotNullOrEmpty()]
                [string] $RegistrationKey 
         ) 
    
    
         Import-DSCResource -ModuleName "xPSDesiredStateConfiguration","WinTechDiskVolume","xWebAdministration","WinTechWinlogbeat", `
                                         "WinTechFileBeat","WinTechTopbeat","WinTechOctopus"
    
         Node $NodeName 
         { 
             $Features = "Web-ISAPI-Ext","Web-ISAPI-Filter","Web-Asp-Net45","Web-Net-Ext45",
            "Web-Security","Web-Health","Web-Common-Http","Telnet-Client","Web-Mgmt-Service"
       
        WindowsFeature Web_WebServer
        {
    
        Name = "Web-Server"
        Ensure = "present"
        }
    
        foreach ($Feature in  $Features) 
        {
          WindowsFeature  $Feature 
          {
           Name = $Feature
           Ensure = "present"
           IncludeAllSubFeature = $true
           
           }
    
        }
    
            Registry Enable_IIS_Remote 
            {
    
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
              ValueName = "EnableRemoteManagement"
              ValueData = "1"
              ValueType = "Dword"
    
              }
    
             Service WMSVC 
             {
               Name = "WMSVC"
               State = "Running"
               StartUpType = "Automatic"
               DependsOn = "[Registry]Enable_IIS_Remote"
               }
             
           WindowsFeature DSCServiceFeature 
             { 
                 Ensure = 'Present'
                 Name   = 'DSC-Service'             
             } 
    
             xDscWebService PSDSCPullServer 
             { 
                 Ensure                  = 'Present' 
                 EndpointName            = 'PSDSCPullServer' 
                 Port                    = 443 
                 PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint   = $certificateThumbPrint          
                 ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                   = 'Started'
                 UseSecurityBestPractices = $true
                 DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
             } 
    
            File RegistrationKeyFile
            {
                Ensure          = 'Present'
                Type            = 'File'
                DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
                Contents        = $RegistrationKey
            }
    
            DiskVolume Volume_D 
            {
    
                DriveLetter = "D"
                DiskNumber = 1
             }
    
            Winlogbeat WinlogbeatInstall
            {
    
            Version = "1.3.1.2"
            Ensure = "Present"
    		EndPoint = "UK"
            
            }
    
        Service winlogbeat {
    
        name = "winlogbeat"
        state = "Running"
        startuptype = "Automatic"
        DependsOn = "[Winlogbeat]WinlogbeatInstall"
    
        }
    
        FileBeat FilebeatInstall {
    
              Ensure = "Present"
              Version = "1.3.1.9"
    		  EndPoint = "UK"
              
              }
    
    	Service FilebeatService {
    		Name = "filebeat"
    		State = "Running"
    		StartupType = "Automatic"
    		DependsOn = "[Filebeat]FilebeatInstall"
    
    	  }
    
        Topbeat TopbeatInstall {
    
            Version = "1.3.1.2"
            Ensure = "Present"
    		EndPoint = "UK"
    
    
        }
    
        Service Topbeat {
    
        name = "Topbeat"
        state = "Running"
        startuptype = "Automatic"
        DependsOn = "[Topbeat]TopbeatInstall"
    
        }
    
        file IISFolder {
    
        DestinationPath =  "D:\IISLogs"
        Type =  "Directory" 
    
    
        }
    
        xIisLogging Logging 
        {
    
                LogPath = 'D:\IISLogs'
                Logflags = @('Date','Time','ClientIP','UserName','SiteName','ServerIP','Method','UriStem','UriQuery','HttpStatus','Win32Status','TimeTaken','ServerPort','UserAgent','Referer','HttpSubStatus')
                LogPeriod = 'daily'
                DependsOn = '[File]IISFolder'
    
        }
    
            OctopusTentacle OctopusInstall {
                Name = "Tentacle"
                Ensure = "present"
                Environment = "Ops"
                Roles = @("UK-DSC-01","dsc-pull-server")
                OctopusServerURL = "http://octopus.wintech.eu"
                ListenPort = 10933
                Version = "3.4.11"
                ApiKey = "API-HA4YFR4DX0BVT5JQMGVSMMKGW8"
                DependsOn = "[DiskVolume]Volume_D"
             }
    }
    
    
    }
    
    
    I downloaded the xPSDesiredStateConfiguration from PowerShell Gallery. Wondering if there is a bug in there there. Also is there harm deleting edbXXXX.log as they do fill up quite quickly.
  • #58598
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Have a look at the following thread:

    https://powershell.org/forums/topic/dsc-pull-server-with-ssl/

    Not sure what the problem is but it seems that when using the securitybestpractices it sets the pullserver to use TLS.
    The "default" powershell session don't seem to use TLS and you get that error.
    You can check with:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::tls12
    Invoke-WebRequest -Uri 'https://youserver:port/PSDSCPullserver.svc'
    

    If you first do the invoke-webrequest without setting the protocol it should give you the result you have now.
    After setting the security protocol you should get the correct web response.

  • #58604
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Now when checking my lab VM's the error was introduced again.
    I believe I've figured it out though.
    The best security practices enables only TLS 1.1 and TLS 1.2, SSL3 and TLS 1.0 is set to disabled.

    The default Powershell session protocols are SSL3 and TLS 1.0.
    You can check with:

    [Net.ServicePointManager]::SecurityProtocol
    

    So to "enable" it so that the default powershell session is able to respond to the web request then you need to enable TLS 1.0 or SSL3.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "Enabled"=dword:00000001
    

    Not sure if you can change the default protocols that a powershell session will use but maybe someone could chime in on that.

    Edit: Just to make it a bit clear the registry setting is on the pullserver so that it will respond to sessions over TLS 1.0.

  • #58609
    Profile photo of Viral Patel
    Viral Patel
    Participant

    Hi Fredrik,

    Thank you for your post. Just before you posted I was checking to see if it was TLS issue, glad you confirmed my thoughts.

    I will try it out.

    Thanks

  • #58613
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    You're welcome,

    I believe the re-introduction in my lab was because I didn't change the UseSecurityBestPractices to $false.
    So it got re-applied after the shutdown/start 🙂

  • #58618
    Profile photo of Viral Patel
    Viral Patel
    Participant

    Still having the problem I wonder because the node in questions have the below set?

        foreach($protocol in @("MD5","SHA")) {
           Registry "Disable Hash $protocol"
           {
              Ensure = "Present"
              Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$protocol"
              ValueName = "Enabled"
              ValueData = "ffffffff"
              Hex = $true
              ValueType = "Dword"
              }
    }
    
        foreach($protocol in @("Diffie-Hellman","PKCS")) {
           Registry "Disable KeyExchangeAlgorithms $protocol"
           {
             Ensure = "Present"
             Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$protocol"
             ValueName = "Enabled"
             ValueData = "ffffffff"
             Hex = $true
             ValueType = "Dword"
            }
    }
    
        Registry "Multi-Protocol Unifed Hello" {
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello'
              ValueName = "Enabled"
              ValueData = "0"
              ValueType = "Dword"
             }
    
        Registry "PCT 1.0" {
               Ensure = "Present"
               Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'
               ValueName = "Enabled"
               ValueData = "0"
               ValueType = "Dword"
              }
    
        Registry LocaleName {
           Ensure = "Present"
           Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
           ValueName = "LocaleName"
           ValueData = "en-GB"
           ValueType = "String"
           }
    
        Registry sCountry {
            Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
            ValueName = "sCountry"
            ValueData = "United Kingdom"
            ValueType = "String"
            }
    
        Registry sShortDate {
            Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
            ValueName = "sShortDate"
            ValueData = "dd/MM/yyyy"
            ValueType = "String"
            }
    
        foreach($protocol in @("NULL","RC2 128/128","RC2 56/128","RC4 128/128","RC4 64/128","Triple DES 168","DES 56/56","RC2 40/128","RC4 40/128","RC4 56/128")) {
           xRegistry "Disable Cipher $protocol"
           {
             Ensure = "Present"
             Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$protocol"
             ValueName = "Enabled"
             ValueData = "0" 
             ValueType = "Dword"
             }
    }
    
        Registry Enable_IIS_Remote {
    
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
              ValueName = "EnableRemoteManagement"
              ValueData = "1"
              ValueType = "Dword"
    
    
        }
    
    
  • #58621
    Profile photo of Viral Patel
    Viral Patel
    Participant

    Also my pull server I have the below now:

             xDscWebService PSDSCPullServer 
             { 
                 Ensure                  = 'Present' 
                 EndpointName            = 'PSDSCPullServer' 
                 Port                    = 443 
                 PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint   = $certificateThumbPrint          
                 ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                   = 'Started'
                 UseSecurityBestPractices = $false
                 DisableSecurityBestPractices = 'SecureTLSProtocols'
                 DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
             } 
    
    
  • #58628
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Have you checked the registry and what the TLS values are set to?
    From what I can see in my test VM by setting the securitybestpractice to false doesn't change the settings if it has already been implemented once.

    Does the invoke-webrequest work with or without setting the security protocol?

    • #58634
      Profile photo of Viral Patel
      Viral Patel
      Participant

      I had a snapshot of the Pull Server before applying the Pull Server runbook I added the TLS registry key you mentioned. But the node still having issues connecting.

  • #58636
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    But if you from the node try the invoke-webrequest with setting the security protocol in the session.
    Does that still produce the same error?
    If you don't get a response on the webrequest it won't work to try and register the node.
    Also have you tried with a restart on the pull server after changing the registry keys?
    While I tested this some changes required a reboot for it to be applied.

  • #58637
    Profile photo of Viral Patel
    Viral Patel
    Participant

    No that does not produce the same error.

    Yep I have also rebooted the Pull Server to no avail. Rebooted the node server as well.

    Viral

  • #58661
    Profile photo of Viral Patel
    Viral Patel
    Participant

    OK it is solved, had to register the nodes, remove the LCM and registering the node back to Pull Server.

    Thank you for your help.

  • #58687
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Hmm, didn't have to do that myself but great that you solved it 🙂

You must be logged in to reply to this topic.