DSC Pull Server with SSL - unable to register

Welcome Forums DSC (Desired State Configuration) DSC Pull Server with SSL - unable to register

This topic contains 11 replies, has 6 voices, and was last updated by

 
Participant
9 months, 4 weeks ago.

  • Author
    Posts
  • #57656

    Participant
    Topics: 2
    Replies: 7
    Points: 1
    Rank: Member

    All, I am having issues accessing pull server over SSL port. HTTP works fine. Public SSL certificate is being used. I can browse to the pull server URL without any certificate errors or warnings.

    The following configuration works:

    configuration Sample_xDscPullServer
    { 
        param  
        ( 
                [string[]]$NodeName = 'localhost', 
    
                [ValidateNotNullOrEmpty()] 
                [string] $certificateThumbPrint
         ) 
    
    
         Import-DSCResource -ModuleName xPSDesiredStateConfiguration
         Import-DSCResource –ModuleName PSDesiredStateConfiguration
    
         Node $NodeName 
         { 
             WindowsFeature DSCServiceFeature 
             { 
                 Ensure = 'Present'
                 Name   = 'DSC-Service'             
             } 
    
             xDscWebService PSDSCPullServer 
             { 
                 Ensure                   = 'Present' 
                 EndpointName             = 'PSDSCPullServer' 
                 Port                     = 8080 
                 PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint    = 'AllowUnencryptedTraffic'          
                 ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                    = 'Started'
                 DependsOn                = '[WindowsFeature]DSCServiceFeature'     
                 UseSecurityBestPractices = $true
             }        
        }
    }
    

    This one does not:

    configuration Sample_xDscPullServer
    { 
        param  
        ( 
                [string[]]$NodeName = 'localhost', 
    
                [ValidateNotNullOrEmpty()] 
                [string] $certificateThumbPrint
         ) 
    
    
         Import-DSCResource -ModuleName xPSDesiredStateConfiguration
         Import-DSCResource –ModuleName PSDesiredStateConfiguration
    
         Node $NodeName 
         { 
             WindowsFeature DSCServiceFeature 
             { 
                 Ensure = 'Present'
                 Name   = 'DSC-Service'             
             } 
    
             xDscWebService PSDSCPullServer 
             { 
                 Ensure                   = 'Present' 
                 EndpointName             = 'PSDSCPullServer' 
                 Port                     = 8080 
                 PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint    = $certificateThumbPrint          
                 ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                    = 'Started'
                 DependsOn                = '[WindowsFeature]DSCServiceFeature'     
                 UseSecurityBestPractices = $true
             }        
        }
    }
    

    I get the following error:

    Registration of the Dsc Agent with the server https://xxxx.xxxx.com:8080/PSDSCPullserver.svc failed. The underlying error is: Failed to 
    register Dsc Agent with AgentId 9BBDFD2F-A215-11E6-80E2-005056996E1C with the server 
    https://xxxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId='9BBDFD2F-A215-11E6-80E2-005056996E1C'). .
        + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : RegisterDscAgentCommandFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
        + PSComputerName        : localhost
    

    Did anyone run into this issue before?

  • #57658

    Keymaster
    Topics: 13
    Replies: 4872
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    To double-check a couple of things...

    Did you delete the pull server database between tries, to ensure you had a fresh start each time?

    You've definitely been able to browse to the HTTPS address without error? What URL are you using to do that?

    • #57669

      Participant
      Topics: 2
      Replies: 7
      Points: 1
      Rank: Member

      Hi Don, yes I do delete the pull server database when I rebuild the site. There are no SSL errors that I see in a browser. But I've just checked IIS logs and it does not appear that requests are being logged when DSC tries to connect to server.

      I test with https://xxx.xxxx.com//PSDSCPullserver.svc and get the following

      
      
      Default
      
      Configurations
      
      
      Modules
      
      
      Action
      
      
      Module
      
      
      StatusReport
      
      
      Node
      
      
      Reports
      
      
      Nodes
      
      
      
      

      or copy url from the error https://xxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId='9BBDFD2F-A215-11E6-80E2-005056996E1C')

      
      
      Client protocol version is invalid. Request header should contain ProtocolVersion {0}.
      
      
      Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.
      
      
      
      Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.
      
      System.ArgumentException
      
      
      
      

      My guess now that it could be UseSecurityBestPractices=$true and client and server ciphers don't match up.

    • #57679

      Participant
      Topics: 0
      Replies: 1
      Points: 0
      Rank: Member

      Indeed I have found this issue to be due to as you suspect UseSecurityBestPractices=$true.
      If I use the following property:

      DisableSecurityBestPractices ='SecureTLSProtocols' 

      then I no longer have issues when building a new pull server. Unfortunately setting UseSecurityBestPractices=$false or applying a config with DisableSecurityBestpractices won't undo the previous registry settings for an existing pull server. To fix an existing pull server where UseSecurityBestPractices=$true was run go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
      and delete any keys you don't want (you can compare with a clean server build but basically deleting anything with TLS in the name fixed the issue for me and they weren't there before applying the config with UseSecurityBestPractices=$true). I haven't narrowed it down yet to see which registry settings out of the TLS ones were causing the problem but it does take a reboot after deleting those keys for it to take effect.

    • #57728

      Participant
      Topics: 2
      Replies: 7
      Points: 1
      Rank: Member

      Thanks Jeff, you were right disabling TLS fixed the issue! If I'll have time I'll dig into what specific protocol is failing and update the thread.

      Thanks,
      Eugene

    • #57736

      Participant
      Topics: 2
      Replies: 7
      Points: 1
      Rank: Member

      One more note it does appear that UseSecurityBestPractices = $true is leaving something out of the config.

      If I use best practices for securing SSL scripted in this link – https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12. The pull server works with TLS as well.

      I will incorporate these settings in my pull server config.

      Eugene

    • #105631

      Participant
      Topics: 2
      Replies: 11
      Points: 22
      Rank: Member

      The above link got broken

    • #105634

      Participant
      Topics: 2
      Replies: 11
      Points: 22
      Rank: Member

      Hello,
      I've been struggling with this issue for a while.

      Client protocol version is invalid. Request header should contain ProtocolVersion 2.0

      I set

      DisableSecurityBestPractices = 'SecureTLSProtocols'

      , also went to the registry and created the value [TLSX.X/Client]"Enabled"=dword:00000001 under all TLS keys (as Frederik Kacsmarck states) and rebooted. Did not work. Afterwards, I deleted the TLSX.X keys from the registry (as Jeff suggests), rebooted and did not work neither.

      The message when setting the LCM on a node stills the same:

      Error registering the DSC agent with the server https://vmdt01.dggh.es:8080/PSDSCPullServer.svc. The inner erros is: Could not register DSC Agent with AgentId
      09AC59BC-90C1-11E8-A14F-000C296AF402 with the server https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Nodes(AgentId='09AC59BC-90C1-11E8-A14F-000C296AF402')..

      I suspect I'll have to redo the box.

  • #58025

    Participant
    Topics: 12
    Replies: 215
    Points: 383
    Helping Hand
    Rank: Contributor

    To bad I didn't check this post yesterday 🙂

    Found the problem as far as I can tell after a lot head scratching.
    It seems that when the TLS keys are created in the registry by using the security best practices it doesn't include the TLS 1.1 and/or TLS 1.2 Client regkeys, only the Server regkeys.

    Added the following on the pull server:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:00000001

    Seems to solve the registration problem in my test lab at least.

  • #58141

    Participant
    Topics: 12
    Replies: 215
    Points: 383
    Helping Hand
    Rank: Contributor

    Update:

    This is kind of weird, did a revert of the snapshots (before any DSC was installed) of my VM's.
    Redid the whole setup and now there was no problem running the registration.
    The above regkey worked when I had the issue but now I'm not sure why there was a problem in the first place.
    Even removing the key afterwards didn't cause it to break, really weird.

    There is a way to simulate this though.

    If you type the following:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::ssl3
    

    And then do a Invoke-Webrequest, you should get the same error as described earlier.
    By using TLS, TLS11 or TLS12 instead of SSL3 it works.

  • #58622

    Participant
    Topics: 4
    Replies: 13
    Points: 0
    Rank: Member

    Still having the problem I wonder because the node in questions have the below set?

        foreach($protocol in @("MD5","SHA")) {
           Registry "Disable Hash $protocol"
           {
              Ensure = "Present"
              Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$protocol"
              ValueName = "Enabled"
              ValueData = "ffffffff"
              Hex = $true
              ValueType = "Dword"
              }
    }
    
        foreach($protocol in @("Diffie-Hellman","PKCS")) {
           Registry "Disable KeyExchangeAlgorithms $protocol"
           {
             Ensure = "Present"
             Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$protocol"
             ValueName = "Enabled"
             ValueData = "ffffffff"
             Hex = $true
             ValueType = "Dword"
            }
    }
    
        Registry "Multi-Protocol Unifed Hello" {
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello'
              ValueName = "Enabled"
              ValueData = "0"
              ValueType = "Dword"
             }
    
        Registry "PCT 1.0" {
               Ensure = "Present"
               Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'
               ValueName = "Enabled"
               ValueData = "0"
               ValueType = "Dword"
              }
    
        Registry LocaleName {
           Ensure = "Present"
           Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
           ValueName = "LocaleName"
           ValueData = "en-GB"
           ValueType = "String"
           }
    
        Registry sCountry {
            Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
            ValueName = "sCountry"
            ValueData = "United Kingdom"
            ValueType = "String"
            }
    
        Registry sShortDate {
            Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
            ValueName = "sShortDate"
            ValueData = "dd/MM/yyyy"
            ValueType = "String"
            }
    
        foreach($protocol in @("NULL","RC2 128/128","RC2 56/128","RC4 128/128","RC4 64/128","Triple DES 168","DES 56/56","RC2 40/128","RC4 40/128","RC4 56/128")) {
           xRegistry "Disable Cipher $protocol"
           {
             Ensure = "Present"
             Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$protocol"
             ValueName = "Enabled"
             ValueData = "0" 
             ValueType = "Dword"
             }
    }
    
        Registry Enable_IIS_Remote {
    
              Ensure = "Present"
              Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
              ValueName = "EnableRemoteManagement"
              ValueData = "1"
              ValueType = "Dword"
    
    
        }
    
    
  • #58625

    Participant
    Topics: 4
    Replies: 13
    Points: 0
    Rank: Member

    Also my pull server config looks like this:

           xDscWebService PSDSCPullServer 
             { 
                 Ensure                  = 'Present' 
                 EndpointName            = 'PSDSCPullServer' 
                 Port                    = 443 
                 PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
                 CertificateThumbPrint   = $certificateThumbPrint          
                 ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                 ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                 State                   = 'Started'
                 UseSecurityBestPractices = $false
                 DisableSecurityBestPractices = 'SecureTLSProtocols'
                 DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
             }
    
    

    Please note I had snapshot before configuring the server I reverted back and ran the pull server runbook.

The topic ‘DSC Pull Server with SSL - unable to register’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort