Author Posts

November 24, 2016 at 11:18 am

Hi,

We seem to have issues on a new Pull DSC server setup. (Running on Windows Server 2016 Core). We keep having the

"DSC Agent failed... The underlying error is: The attempt to register DSC Agent"

It works great for a day then we have issues nodes trying to register to the pull server. I'm wondering there is a bug or something.

Below is DSC Config


Configuration PullServer
{ 
    param  
    ( 
            [string[]]$NodeName = 'localhost', 

            [ValidateNotNullOrEmpty()] 
            [string] $certificateThumbPrint,

            [Parameter(Mandatory)]
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey 
     ) 


     Import-DSCResource -ModuleName "xPSDesiredStateConfiguration","WinTechDiskVolume","xWebAdministration","WinTechWinlogbeat", `
                                     "WinTechFileBeat","WinTechTopbeat","WinTechOctopus"

     Node $NodeName 
     { 
         $Features = "Web-ISAPI-Ext","Web-ISAPI-Filter","Web-Asp-Net45","Web-Net-Ext45",
        "Web-Security","Web-Health","Web-Common-Http","Telnet-Client","Web-Mgmt-Service"
   
    WindowsFeature Web_WebServer
    {

    Name = "Web-Server"
    Ensure = "present"
    }

    foreach ($Feature in  $Features) 
    {
      WindowsFeature  $Feature 
      {
       Name = $Feature
       Ensure = "present"
       IncludeAllSubFeature = $true
       
       }

    }

        Registry Enable_IIS_Remote 
        {

          Ensure = "Present"
          Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
          ValueName = "EnableRemoteManagement"
          ValueData = "1"
          ValueType = "Dword"

          }

         Service WMSVC 
         {
           Name = "WMSVC"
           State = "Running"
           StartUpType = "Automatic"
           DependsOn = "[Registry]Enable_IIS_Remote"
           }
         
       WindowsFeature DSCServiceFeature 
         { 
             Ensure = 'Present'
             Name   = 'DSC-Service'             
         } 

         xDscWebService PSDSCPullServer 
         { 
             Ensure                  = 'Present' 
             EndpointName            = 'PSDSCPullServer' 
             Port                    = 443 
             PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
             CertificateThumbPrint   = $certificateThumbPrint          
             ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
             ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
             State                   = 'Started'
             UseSecurityBestPractices = $true
             DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
         } 

        File RegistrationKeyFile
        {
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey
        }

        DiskVolume Volume_D 
        {

            DriveLetter = "D"
            DiskNumber = 1
         }

        Winlogbeat WinlogbeatInstall
        {

        Version = "1.3.1.2"
        Ensure = "Present"
		EndPoint = "UK"
        
        }

    Service winlogbeat {

    name = "winlogbeat"
    state = "Running"
    startuptype = "Automatic"
    DependsOn = "[Winlogbeat]WinlogbeatInstall"

    }

    FileBeat FilebeatInstall {

          Ensure = "Present"
          Version = "1.3.1.9"
		  EndPoint = "UK"
          
          }

	Service FilebeatService {
		Name = "filebeat"
		State = "Running"
		StartupType = "Automatic"
		DependsOn = "[Filebeat]FilebeatInstall"

	  }

    Topbeat TopbeatInstall {

        Version = "1.3.1.2"
        Ensure = "Present"
		EndPoint = "UK"


    }

    Service Topbeat {

    name = "Topbeat"
    state = "Running"
    startuptype = "Automatic"
    DependsOn = "[Topbeat]TopbeatInstall"

    }

    file IISFolder {

    DestinationPath =  "D:\IISLogs"
    Type =  "Directory" 


    }

    xIisLogging Logging 
    {

            LogPath = 'D:\IISLogs'
            Logflags = @('Date','Time','ClientIP','UserName','SiteName','ServerIP','Method','UriStem','UriQuery','HttpStatus','Win32Status','TimeTaken','ServerPort','UserAgent','Referer','HttpSubStatus')
            LogPeriod = 'daily'
            DependsOn = '[File]IISFolder'

    }

        OctopusTentacle OctopusInstall {
            Name = "Tentacle"
            Ensure = "present"
            Environment = "Ops"
            Roles = @("UK-DSC-01","dsc-pull-server")
            OctopusServerURL = "http://octopus.wintech.eu"
            ListenPort = 10933
            Version = "3.4.11"
            ApiKey = "API-HA4YFR4DX0BVT5JQMGVSMMKGW8"
            DependsOn = "[DiskVolume]Volume_D"
         }
}


}

I downloaded the xPSDesiredStateConfiguration from PowerShell Gallery. Wondering if there is a bug in there there. Also is there harm deleting edbXXXX.log as they do fill up quite quickly.

November 24, 2016 at 12:28 pm

Have a look at the following thread:

https://powershell.org/forums/topic/dsc-pull-server-with-ssl/

Not sure what the problem is but it seems that when using the securitybestpractices it sets the pullserver to use TLS.
The "default" powershell session don't seem to use TLS and you get that error.
You can check with:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::tls12
Invoke-WebRequest -Uri 'https://youserver:port/PSDSCPullserver.svc'

If you first do the invoke-webrequest without setting the protocol it should give you the result you have now.
After setting the security protocol you should get the correct web response.

November 24, 2016 at 12:58 pm

Now when checking my lab VM's the error was introduced again.
I believe I've figured it out though.
The best security practices enables only TLS 1.1 and TLS 1.2, SSL3 and TLS 1.0 is set to disabled.

The default Powershell session protocols are SSL3 and TLS 1.0.
You can check with:

[Net.ServicePointManager]::SecurityProtocol

So to "enable" it so that the default powershell session is able to respond to the web request then you need to enable TLS 1.0 or SSL3.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001

Not sure if you can change the default protocols that a powershell session will use but maybe someone could chime in on that.

Edit: Just to make it a bit clear the registry setting is on the pullserver so that it will respond to sessions over TLS 1.0.

November 24, 2016 at 1:13 pm

Hi Fredrik,

Thank you for your post. Just before you posted I was checking to see if it was TLS issue, glad you confirmed my thoughts.

I will try it out.

Thanks

November 24, 2016 at 1:37 pm

You're welcome,

I believe the re-introduction in my lab was because I didn't change the UseSecurityBestPractices to $false.
So it got re-applied after the shutdown/start 🙂

November 24, 2016 at 2:13 pm

Still having the problem I wonder because the node in questions have the below set?

    foreach($protocol in @("MD5","SHA")) {
       Registry "Disable Hash $protocol"
       {
          Ensure = "Present"
          Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$protocol"
          ValueName = "Enabled"
          ValueData = "ffffffff"
          Hex = $true
          ValueType = "Dword"
          }
}

    foreach($protocol in @("Diffie-Hellman","PKCS")) {
       Registry "Disable KeyExchangeAlgorithms $protocol"
       {
         Ensure = "Present"
         Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$protocol"
         ValueName = "Enabled"
         ValueData = "ffffffff"
         Hex = $true
         ValueType = "Dword"
        }
}

    Registry "Multi-Protocol Unifed Hello" {
          Ensure = "Present"
          Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello'
          ValueName = "Enabled"
          ValueData = "0"
          ValueType = "Dword"
         }

    Registry "PCT 1.0" {
           Ensure = "Present"
           Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'
           ValueName = "Enabled"
           ValueData = "0"
           ValueType = "Dword"
          }

    Registry LocaleName {
       Ensure = "Present"
       Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
       ValueName = "LocaleName"
       ValueData = "en-GB"
       ValueType = "String"
       }

    Registry sCountry {
        Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
        ValueName = "sCountry"
        ValueData = "United Kingdom"
        ValueType = "String"
        }

    Registry sShortDate {
        Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
        ValueName = "sShortDate"
        ValueData = "dd/MM/yyyy"
        ValueType = "String"
        }

    foreach($protocol in @("NULL","RC2 128/128","RC2 56/128","RC4 128/128","RC4 64/128","Triple DES 168","DES 56/56","RC2 40/128","RC4 40/128","RC4 56/128")) {
       xRegistry "Disable Cipher $protocol"
       {
         Ensure = "Present"
         Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$protocol"
         ValueName = "Enabled"
         ValueData = "0" 
         ValueType = "Dword"
         }
}

    Registry Enable_IIS_Remote {

          Ensure = "Present"
          Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
          ValueName = "EnableRemoteManagement"
          ValueData = "1"
          ValueType = "Dword"


    }

November 24, 2016 at 2:14 pm

Also my pull server I have the below now:

         xDscWebService PSDSCPullServer 
         { 
             Ensure                  = 'Present' 
             EndpointName            = 'PSDSCPullServer' 
             Port                    = 443 
             PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
             CertificateThumbPrint   = $certificateThumbPrint          
             ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
             ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
             State                   = 'Started'
             UseSecurityBestPractices = $false
             DisableSecurityBestPractices = 'SecureTLSProtocols'
             DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
         } 

November 24, 2016 at 2:40 pm

Have you checked the registry and what the TLS values are set to?
From what I can see in my test VM by setting the securitybestpractice to false doesn't change the settings if it has already been implemented once.

Does the invoke-webrequest work with or without setting the security protocol?

November 24, 2016 at 2:45 pm

I had a snapshot of the Pull Server before applying the Pull Server runbook I added the TLS registry key you mentioned. But the node still having issues connecting.

November 24, 2016 at 2:53 pm

But if you from the node try the invoke-webrequest with setting the security protocol in the session.
Does that still produce the same error?
If you don't get a response on the webrequest it won't work to try and register the node.
Also have you tried with a restart on the pull server after changing the registry keys?
While I tested this some changes required a reboot for it to be applied.

November 24, 2016 at 2:59 pm

No that does not produce the same error.

Yep I have also rebooted the Pull Server to no avail. Rebooted the node server as well.

Viral

November 24, 2016 at 4:42 pm

OK it is solved, had to register the nodes, remove the LCM and registering the node back to Pull Server.

Thank you for your help.

November 25, 2016 at 10:08 am

Hmm, didn't have to do that myself but great that you solved it 🙂