DSC Pull Server with SSL - unable to register

Tagged: 

This topic contains 9 replies, has 5 voices, and was last updated by Profile photo of Viral Patel Viral Patel 2 weeks ago.

  • Author
    Posts
  • #57656
    Profile photo of eugene r
    eugene r
    Participant

    All, I am having issues accessing pull server over SSL port. HTTP works fine. Public SSL certificate is being used. I can browse to the pull server URL without any certificate errors or warnings.

    The following configuration works:

    configuration Sample_xDscPullServer
    { 
        param  
        ( 
                [string[]]$NodeName = 'localhost', 
    
                [ValidateNotNullOrEmpty()] 
                [string] $certificateThumbPrint
         ) 
    
    
         Import-DSCResource -ModuleName xPSDesiredStateConfiguration
         Import-DSCResource –ModuleName PSDesiredStateConfiguration
    
         Node $NodeName 
         { 
             WindowsFeature DSCServiceFeature 
             { 
                 Ensure = 'Present'
                 Name   = 'DSC-Service'             
             } 
    
             xDscWebService PSDSCPullServer 
             { 
                 Ensure                   = 'Present' 
                 EndpointName             = 'PSDSCPullServer' 
                 Port                     = 8080 
                 PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint    = 'AllowUnencryptedTraffic'          
                 ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                    = 'Started'
                 DependsOn                = '[WindowsFeature]DSCServiceFeature'     
                 UseSecurityBestPractices = $true
             }        
        }
    }
    

    This one does not:

    configuration Sample_xDscPullServer
    { 
        param  
        ( 
                [string[]]$NodeName = 'localhost', 
    
                [ValidateNotNullOrEmpty()] 
                [string] $certificateThumbPrint
         ) 
    
    
         Import-DSCResource -ModuleName xPSDesiredStateConfiguration
         Import-DSCResource –ModuleName PSDesiredStateConfiguration
    
         Node $NodeName 
         { 
             WindowsFeature DSCServiceFeature 
             { 
                 Ensure = 'Present'
                 Name   = 'DSC-Service'             
             } 
    
             xDscWebService PSDSCPullServer 
             { 
                 Ensure                   = 'Present' 
                 EndpointName             = 'PSDSCPullServer' 
                 Port                     = 8080 
                 PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint    = $certificateThumbPrint          
                 ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                    = 'Started'
                 DependsOn                = '[WindowsFeature]DSCServiceFeature'     
                 UseSecurityBestPractices = $true
             }        
        }
    }
    

    I get the following error:

    Registration of the Dsc Agent with the server https://xxxx.xxxx.com:8080/PSDSCPullserver.svc failed. The underlying error is: Failed to 
    register Dsc Agent with AgentId 9BBDFD2F-A215-11E6-80E2-005056996E1C with the server 
    https://xxxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId='9BBDFD2F-A215-11E6-80E2-005056996E1C'). .
        + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : RegisterDscAgentCommandFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
        + PSComputerName        : localhost
    

    Did anyone run into this issue before?

  • #57658
    Profile photo of Don Jones
    Don Jones
    Keymaster

    To double-check a couple of things...

    Did you delete the pull server database between tries, to ensure you had a fresh start each time?

    You've definitely been able to browse to the HTTPS address without error? What URL are you using to do that?

    • #57669
      Profile photo of eugene r
      eugene r
      Participant

      Hi Don, yes I do delete the pull server database when I rebuild the site. There are no SSL errors that I see in a browser. But I've just checked IIS logs and it does not appear that requests are being logged when DSC tries to connect to server.

      I test with https://xxx.xxxx.com//PSDSCPullserver.svc and get the following

      
      
      Default
      
      Configurations
      
      
      Modules
      
      
      Action
      
      
      Module
      
      
      StatusReport
      
      
      Node
      
      
      Reports
      
      
      Nodes
      
      
      
      

      or copy url from the error https://xxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId='9BBDFD2F-A215-11E6-80E2-005056996E1C')

      
      
      Client protocol version is invalid. Request header should contain ProtocolVersion {0}.
      
      
      Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.
      
      
      
      Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.
      
      System.ArgumentException
      
      
      
      

      My guess now that it could be UseSecurityBestPractices=$true and client and server ciphers don't match up.

    • #57679
      Profile photo of Jeff
      Jeff
      Participant

      Indeed I have found this issue to be due to as you suspect UseSecurityBestPractices=$true.
      If I use the following property:

      DisableSecurityBestPractices ='SecureTLSProtocols' 

      then I no longer have issues when building a new pull server. Unfortunately setting UseSecurityBestPractices=$false or applying a config with DisableSecurityBestpractices won't undo the previous registry settings for an existing pull server. To fix an existing pull server where UseSecurityBestPractices=$true was run go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
      and delete any keys you don't want (you can compare with a clean server build but basically deleting anything with TLS in the name fixed the issue for me and they weren't there before applying the config with UseSecurityBestPractices=$true). I haven't narrowed it down yet to see which registry settings out of the TLS ones were causing the problem but it does take a reboot after deleting those keys for it to take effect.

    • #57728
      Profile photo of eugene r
      eugene r
      Participant

      Thanks Jeff, you were right disabling TLS fixed the issue! If I'll have time I'll dig into what specific protocol is failing and update the thread.

      Thanks,
      Eugene

    • #57736
      Profile photo of eugene r
      eugene r
      Participant

      One more note it does appear that UseSecurityBestPractices = $true is leaving something out of the config.

      If I use best practices for securing SSL scripted in this link – https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12. The pull server works with TLS as well.

      I will incorporate these settings in my pull server config.

      Eugene

  • #58025
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    To bad I didn't check this post yesterday 🙂

    Found the problem as far as I can tell after a lot head scratching.
    It seems that when the TLS keys are created in the registry by using the security best practices it doesn't include the TLS 1.1 and/or TLS 1.2 Client regkeys, only the Server regkeys.

    Added the following on the pull server:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:00000001

    Seems to solve the registration problem in my test lab at least.

  • #58141
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Update:

    This is kind of weird, did a revert of the snapshots (before any DSC was installed) of my VM's.
    Redid the whole setup and now there was no problem running the registration.
    The above regkey worked when I had the issue but now I'm not sure why there was a problem in the first place.
    Even removing the key afterwards didn't cause it to break, really weird.

    There is a way to simulate this though.

    If you type the following:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::ssl3
    

    And then do a Invoke-Webrequest, you should get the same error as described earlier.
    By using TLS, TLS11 or TLS12 instead of SSL3 it works.

  • #58622
    Profile photo of Viral Patel
    Viral Patel
    Participant

    Still having the problem I wonder because the node in questions have the below set?

        foreach($protocol in @("MD5","SHA")) {
           Registry "Disable Hash $protocol"
           {
              Ensure = "Present"
              Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$protocol"
              ValueName = "Enabled"
              ValueData = "ffffffff"
              Hex = $true
              ValueType = "Dword"
              }
    }
    
        foreach($protocol in @("Diffie-Hellman","PKCS")) {
           Registry "Disable KeyExchangeAlgorithms $protocol"
           {
             Ensure = "Present"
             Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$protocol"
             ValueName = "Enabled"
             ValueData = "ffffffff"
             Hex = $true
             ValueType = "Dword"
            }
    }
    
        Registry "Multi-Protocol Unifed Hello" {
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello'
              ValueName = "Enabled"
              ValueData = "0"
              ValueType = "Dword"
             }
    
        Registry "PCT 1.0" {
               Ensure = "Present"
               Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'
               ValueName = "Enabled"
               ValueData = "0"
               ValueType = "Dword"
              }
    
        Registry LocaleName {
           Ensure = "Present"
           Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
           ValueName = "LocaleName"
           ValueData = "en-GB"
           ValueType = "String"
           }
    
        Registry sCountry {
            Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
            ValueName = "sCountry"
            ValueData = "United Kingdom"
            ValueType = "String"
            }
    
        Registry sShortDate {
            Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
            ValueName = "sShortDate"
            ValueData = "dd/MM/yyyy"
            ValueType = "String"
            }
    
        foreach($protocol in @("NULL","RC2 128/128","RC2 56/128","RC4 128/128","RC4 64/128","Triple DES 168","DES 56/56","RC2 40/128","RC4 40/128","RC4 56/128")) {
           xRegistry "Disable Cipher $protocol"
           {
             Ensure = "Present"
             Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$protocol"
             ValueName = "Enabled"
             ValueData = "0" 
             ValueType = "Dword"
             }
    }
    
        Registry Enable_IIS_Remote {
    
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
              ValueName = "EnableRemoteManagement"
              ValueData = "1"
              ValueType = "Dword"
    
    
        }
    
    
  • #58625
    Profile photo of Viral Patel
    Viral Patel
    Participant

    Also my pull server config looks like this:

           xDscWebService PSDSCPullServer 
             { 
                 Ensure                  = 'Present' 
                 EndpointName            = 'PSDSCPullServer' 
                 Port                    = 443 
                 PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint   = $certificateThumbPrint          
                 ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                   = 'Started'
                 UseSecurityBestPractices = $false
                 DisableSecurityBestPractices = 'SecureTLSProtocols'
                 DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
             }
    
    

    Please note I had snapshot before configuring the server I reverted back and ran the pull server runbook.

You must be logged in to reply to this topic.