Author Posts

October 30, 2017 at 4:22 pm

Hello,

I am using The DSC Book (forever edition) as a guide for setting up a DSC Pull Server. (Yes, I paid for it 🙂 I can't get it to work and I am currently stumped. This is my first post, so please let me know if I am doing it wrong.

The environment is a very simple Windows 2016 domain. It has:

• A DC that also runs DNS and Certificate Services, 2016 Server Core
• A utility server that runs 2016 GUI with Management Tools
• A system dedicated to being a DSC Pull Server, 2016 Server Core

As noted above, I did create my own Certificate Service server, and issued a root certificate which is stored in cert:\localmachine\my on the target servers.

I tried installing a Pull Server on both the 2016 Server Core system as well as the 2016 GUI system, since The DSC Book notes that xPSDesiredStateConfiguration has had issues with Server Core. However, it errors out exactly the same way, in the same place.

I am not doing any remoting other than RDP (i.e. no WinRM or SSH). All systems are virtual machines running on ESX.

What appears to be the core error – "A specified logon session does not exist. It may already have been terminated" – seems to be associated with CredSSP double hop issues, as well as the formatting of credentials on Azure (name@domain vs DOMAIN\name). I tried applying the MOF logged in both ways, and it fails the same way regardless.

Everything is running Powershell 5.1 and WMF 5.1. NuGet is version 2.8.5.208. Module Versions:

• PSDSCResources 2.8.0.0
• PsDesiredStateConfiguration 1.1
• xPsDesiredStateConfiguration 7.0.0.0

The symptoms are:

The IIS site for the Pull Server is physically present but not running. I cannot get to the URL for the Pull Server. The Pull Server site does not show up in IIS Manager. I get multiple errors while applying the MOF to the node.

I get a logon error when configuring the IIS site:

A specified logon session does not exist. It may already have been terminated
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
    + PSComputerName        : myServer-dsc01.myServer.lab

I also get an error about DestinationPath and directories, which is confusing, as the only place I'm using DestinationPath is File RegistrationKeyFile, and I'm specifying a file, not a directory:

File RegistrationKeyFile {
  Ensure = 'Present'
  Type = 'File' # not directory
  DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
  Contents = $registrationKey
}

Yet I still get this error:

DestinationPath cannot be a directory for current configuration. Specify Force if you want to perform the configuration.  The related ResourceID is [File]RegistrationKeyFile.
    + CategoryInfo          : InvalidArgument: (:) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4
    + PSComputerName        : darkmeld-dsc01.darkmeld.lab

The RegistrationKeys.txt file exists, but it's empty.

I get this error at the end:

The PowerShell DSC resource '[xDSCWebService]PSDSCPullServer' with SourceInfo 'C:\dsc_stuff\dscsetup-pullserver-mof.ps1::45::5::xDSCWebService' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : myServer-dsc01.myServer.lab

The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : myServer-dsc01.myServer.lab

The referenced ETW logs do not show anything new, they merely repeat the already displayed error information. I do include the ETW output below for completeness; maybe I missed something.

I found this:


DSC Pull Server Deploy Errors – xDscWebServiceRegistration

This person was getting the same error, but it went away when he stopped using a self-signed certificate. (I also noticed a line missing from the DSC Book version of setting up a pull server regarding the Registration Key Path, and added it). I suppose it's possible there is something wrong with my certificate setup, but to be candid this is the first time I've set up Certificate Services and a Certificate Authority. I did so according to this guide and got no errors while I was doing so:

Install and Configure Certificate Authority in Windows Server 2016

Here's the configuration:

configuration myServerDscPullServer {
  param (
    # name of DSC pull server
    [Parameter(Mandatory=$true)]
    [string[]]$nodeName,
    # thumbprint of root certificate
    [Parameter(Mandatory=$true)]
    [string]$certificateThumbPrint,
    # GUID for registration
    [Parameter(Mandatory=$true)]
    [string]$registrationKey
  )
  Import-DscResource -ModuleName xPSDesiredStateConfiguration
  # avoid warning
  Import-DscResource -ModuleName PSDesiredStateConfiguration

  Node $nodeName {
    # windows features - experimenting using DSC for these instead of install-windowsfeature
    WindowsFeature DSCServiceFeature {
      Ensure = 'Present'
      Name = 'dsc-service'
    }
    WindowsFeature IISFeature {
      Ensure = 'Present'
      Name = 'web-server'
    }
    WindowsFeature IISMgmt {
      Ensure = 'Present'
      Name = 'web-mgmt-service'
      DependsOn = '[WindowsFeature]IISFeature'
    }
    # windows services - experimenting instead of using powershell to configure
    Service IISService {
      Name = 'w3svc'
      StartupType = 'Automatic'
      State = 'Running'
    }
    # errors out on mgmt service - add pause?
    Service WebMgmtService {
      Name = 'wmsvc'
      StartupType = 'Automatic'
      State = 'Running'
    }
    # installing pull server from experimental module - watch out for bugs on server core
    xDSCWebService PSDSCPullServer {
      Ensure = 'Present'
      EndpointName = 'PSDSCPullServer'
      Port = 8023 # instead of 8080 because 23
      # why double quotes? only for filesystem stuff?
      PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer\"
      CertificateThumbPrint = $certificateThumbPrint
      ModulePath = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
      ConfigurationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
      State = 'Started'
      DependsOn = @('[WindowsFeature]DSCServiceFeature','[WindowsFeature]IISFeature','[WindowsFeature]IISMgmt','[Service]IISService')
      # this line is missing from the DSC book script?
      RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\RegistrationKeys.txt"
      UseSecurityBestPractices = $true
    }
    File RegistrationKeyFile {
      Ensure = 'Present'
      Type = 'File'
      DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
      Contents = $registrationKey
    }
    # try again?
    Service WebMgmtService2 {
      Name = 'wmsvc'
      StartupType = 'Automatic'
      State = 'Running'
    }
  }
}
myServerDscPullServer -nodeName "myServer-dsc01.myServer.lab" -certificateThumbPrint "myThumbprint" -registrationKey "myRegistrationKey"

Here's the output of Start-DscConfiguration: (note that there's no error about the certificate)

PS C:\dsc_stuff> Start-DscConfiguration -path .\myServerDscPullServer\ -wait -verbose
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer myServer-DSC01 with user sid mySid.
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' started: dsc-service
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' succeeded: DSC-Service
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[WindowsFeature]DSCServiceFeature]  in 2.4410 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Installation started...
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Continue with installation?
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing started...
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing succeeded.
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Installation succeeded.
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Successfully installed the feature dsc-service.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[WindowsFeature]DSCServiceFeature]  in 79.5740 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]IISFeature]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]IISFeature]
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISFeature] The operation 'Get-WindowsFeature' started: web-server
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISFeature] The operation 'Get-WindowsFeature' succeeded: Web-Server
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[WindowsFeature]IISFeature]  in 1.1130 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Skip   Set      ]  [[WindowsFeature]IISFeature]
VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[WindowsFeature]IISFeature]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]IISMgmt]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]IISMgmt]
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] The operation 'Get-WindowsFeature' started: web-mgmt-service
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] The operation 'Get-WindowsFeature' succeeded: Web-Mgmt-Service
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[WindowsFeature]IISMgmt]  in 0.5790 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[WindowsFeature]IISMgmt]
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Installation started...
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Continue with installation?
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Prerequisite processing started...
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Prerequisite processing succeeded.
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Installation succeeded.
VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Successfully installed the feature web-mgmt-service.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[WindowsFeature]IISMgmt]  in 16.3530 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[WindowsFeature]IISMgmt]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[Service]IISService]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[Service]IISService]
VERBOSE: [myServer-DSC01]:                            [[Service]IISService] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='w3svc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
VERBOSE: [myServer-DSC01]:                            [[Service]IISService] Operation 'Query CimInstances' complete.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[Service]IISService]  in 2.2080 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Skip   Set      ]  [[Service]IISService]
VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[Service]IISService]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[Service]WebMgmtService]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[Service]WebMgmtService]
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='wmsvc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Operation 'Query CimInstances' complete.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Startup type for service 'WMSvc' is 'Manual'. It does not match 'Automatic'.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[Service]WebMgmtService]  in 0.2040 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[Service]WebMgmtService]
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Service 'wmsvc' already exists. Write properties such as Status, DisplayName, Description, Dependencies will be ignored for existing services.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='wmsvc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Operation 'Query CimInstances' complete.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Perform operation 'Invoke CimMethod' with following parameters, ''instance' = Win32_Service: Web Management Service (Name = "WMSvc"),'methodName' = Change,'namespaceName' = root/cimv2'.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Operation 'Invoke CimMethod' complete.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Service 'wmsvc' started.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[Service]WebMgmtService]  in 1.0810 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[Service]WebMgmtService]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Check Ensure
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] The Website PSDSCPullServer is not present
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[xDSCWebService]PSDSCPullServer]  in 1.6290 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Create the IIS endpoint
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Setting up endpoint at - https://myServer-DSC01:8023/PSDSCPullServer.svc
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Checking IIS requirements
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Delete the App Pool if it exists
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Remove the site if it already exists
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Create the bin folder for deploying custom dependent binaries required by the endpoint
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Adding App Pool
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Set App Pool Properties
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Add and Set Site Properties
A specified logon session does not exist. It may already have been terminated
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
    + PSComputerName        : myServer-dsc01.myServer.lab

VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] p11
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Enabling firewall exception for
 port 8023
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Disable Inbound Firewall
Notification
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Add Firewall Rule for port 8023
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Set values into the web.config
that define the repository later than BLUE OS
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Only ESENT is supported on
Windows Server 2016
VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Pull Server: Set values into
the web.config that indicate the location of repository, configuration, modules
VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[xDSCWebService]PSDSCPullServer]  in 5.5770 seconds.
The PowerShell DSC resource '[xDSCWebService]PSDSCPullServer' with SourceInfo
'C:\dsc_stuff\dscsetup-pullserver-mof.ps1::45::5::xDSCWebService' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : myServer-dsc01.myServer.lab

VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[File]RegistrationKeyFile]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[File]RegistrationKeyFile]
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[File]RegistrationKeyFile]  in 0.4860 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[File]RegistrationKeyFile]
VERBOSE: [myServer-DSC01]:                            [[File]RegistrationKeyFile] DestinationPath cannot be a directory for current configuration. Specify Force if you want to perform the configuration.
DestinationPath cannot be a directory for current configuration. Specify Force if you want to perform the configuration.  The related ResourceID is [File]RegistrationKeyFile.
    + CategoryInfo          : InvalidArgument: (:) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4
    + PSComputerName        : myServer-dsc01.myServer.lab

VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[Service]WebMgmtService2]
VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[Service]WebMgmtService2]
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService2] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='wmsvc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService2] Operation 'Query CimInstances'
complete.
VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[Service]WebMgmtService2]  in 0.2350 seconds.
VERBOSE: [myServer-DSC01]: LCM:  [ Skip   Set      ]  [[Service]WebMgmtService2]
VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[Service]WebMgmtService2]
VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 4
    + PSComputerName        : myServer-dsc01.myServer.lab

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 115.124 seconds
PS C:\dsc_stuff>

Any ideas? I am stumped.

Thanks,

Formica

November 2, 2017 at 10:53 pm

With this DSC stuff it can be tricky at 1st but when it works you get that 'Voila' moment and all is good with the world. Looking at the verbose output i can see "Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\" Is the cert for the pull server site on the pull server? Are you able to set the pull server as not secured 1st then once that is sweet add the next layer of securing it etc. etc

November 7, 2017 at 5:33 pm

Thanks for your reply, I appreciate it. Also, sorry for screwing up my formatting so bad. I went back and changed the tags so it looks like it should now.

The line you're referring to:

VERBOSE: [myServer-DSC01]:[[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\

... given the context looks like it's an action, that is, it's verbose output about what step it's on, in this case verifying the presence of the certificate. To put it another way, it's in Yellow, not Red. I just went and looked again and verified that the certificate referred to by the submitted thumbprint is in fact present in cert:\LocalMachine\My.

The initial error is referring to some kind of logon, but it's so vague I can't put my finger on what kind of logon trouble it is having, or what process or service is authenticating to AD, etc.

I will try your suggestion and see if it works in an insecure mode.

Does anyone else have any input or suggestions, now that my code is readable and not a horrible mess? 🙂

Thanks,

Formica

November 8, 2017 at 6:35 pm

Hi Alex,

I tried a bare-bones Pull Server setup without SSL, and it did work. So perhaps you're right, maybe it is something to do with my certificate. I'm able to generate and issue a certificate for SSL on IIS using the IIS 10 GUI on another IIS 10 server. I've tried using that mechanism and substituting the Distinguished Name of my Pull Server in the request and using the resulting certificate, but that isn't working either; I get the same error.

I know it's a bit off topic, but can anyone point me to a link on how to correctly generate the certificate I need for a Pull Server? I feel like I'm 95% of the way there but I'm missing some key thing.

Edit: I got the Pull Server to install correctly with DSC! I still can't generate the correct certificate for the Pull Server, so I can't make authenticated connections over SSL. However if I ignore SSL errors I get the expected XML output when I hit the URL. Any input on how to generate the correct certificate for the Pull Server would be greatly appreciated!

Thanks,

Formica

November 8, 2017 at 9:25 pm

That's good to know. At least we know the pull server is set up correctly. Do you have the root cert for your CA on the client in the trusted root that is trying to connect to the Pull server?

November 8, 2017 at 10:19 pm

Hi Alex,

Thank you so much for replying. I really appreciate your help.

In answer to your question, I think so. Using the IIS Manager on a different IIS server, I can go to Server Certificates -> Create Certificate Request... and then submit that to the AD CS server using certreq.exe. I can take the resulting .cer file and go to Server Certificates -> Complete Certificate Request... After that, I can assign the resulting certificate to an https binding and get a properly authenticated SSL connection to that IIS endpoint with no warnings or errors, and if I examine the certificate, the root of the trust is indeed my AD CS server.

What's even more frustrating is that, if I use IIS Manager to connect to the Server Core instance running my DSC Pull Server, the Server Certificates option does not even show up in IIS Manager. So I can't even manually try to fix the binding or create a request for a certificate. I am considering just starting over and trying all of this on a GUI Server instead of Server Core and manually setting up the certificate for the DSC Pull Server in IIS Manager since apparently that works.

Even more frustrating when I compare the certificate I describe above with the one I'm generating for the DSC Pull Server, it looks... correct. The only difference is the subject. I've tried adding more SANs at the command line, FQDN, hostname only, IP address... none of it seems to make any difference. I just can't get the right certificate hooked up to the Pull Server site in IIS.

All of that said, I know it's possible to make this work since everyone else apparently can do it! I feel like I'm just not using the right search terms or something, and that somewhere out there, there's a guide that will show me the key piece of information I am missing. I'm also experimenting with the xCertificate module for DSC, but so far I haven't had any luck with it.

Let me know what kind of diagnostic information or screenshots would be illuminating for you and I'll try to sanitize them and share them. And really, thank you again for taking the time to help me. It means a lot! If anyone else has any opinions or advice, please chime in 🙂

Best,

Formica

November 9, 2017 at 8:56 pm

Hey Formica,

Thought i had posted up my pull serer code yesterday but looks like it did not go up correctly. Lets try again.

These notes are on my script but it wont let me post in the code section for some reason

start inetmgr
Expand The server site
Double Click Server Certificates
Click “Create Domain Certificate” on the right side panel under actions
Common Name = Full Qualified Domain Name of Pull Server Example:DSCPullServer1.test.local
Fill in: Organization, Organizational Unit, City, State with whatever you'd like
Click Next
Hit select next to specify online certification authority
select your server and hit OK
Input a Friendly name of DSCPullServerCert
Finish

### Export and import the Cert

From the IIS manager select the certificate PSDSCPullServerCert
On the right hand side click export under actions
Hit the … to browse
Navigate to the Pull servers system drive Example [\ZPull01\c$]
Input a password
click OK

Remote to DSC Pull Server and run

$pwd = Read-Host -AsSecureString
Import-PfxCertificate -Password $PWD -FilePath C:\DSCPullServerCert.pfx -CertStoreLocation cert:\localmachine\my

Make a note of the thumbprint as this will be used to secure the Pull Server.

#>


Configuration SetUpSecurePullServer
{

    Param
    (

        [Parameter(Mandatory)]
        [string]
        $CertThumbPrint,

        [Parameter(Mandatory)]
        [pscredential]
        $DomainCred

    )

    Import-DscResource -ModuleName xActiveDirectory,xNetworking,PSDesiredStateConfiguration,xComputerManagement,xPSDesiredStateConfiguration

    Node $AllNodes.Where{$_.Role -eq "Pull Server"}.Nodename
    {

        xIPAddress IPAddress
        {
            IPAddress        = $Node.IPAddress
            InterfaceAlias   = $Node.InterfaceAlias
            PrefixLength     = $node.PrefixLength
        }

        xDNSServerAddress DNSServerAddress
        {
            Address          = $node.DNSServerAddress
            InterfaceAlias   = $Node.InterfaceAlias
            AddressFamily    = $node.AddressFamily
        }
        
        xDefaultGatewayAddress DefaultGatewayAddress
        {
            Address          = $node.DefaultGatewayAddress
            InterfaceAlias   = $Node.InterfaceAlias
            AddressFamily    = $node.AddressFamily
        }

        xWaitForADDomain DscForestWait
        {
            DomainName       = $Node.DomainName
            RetryCount       = $Node.RetryCount
            RetryIntervalSec = $Node.RetryIntervalSec
            DependsOn        = '[xDNSServerAddress]DNSServerAddress' 
        }

        xcomputer computername
        {
            Name             = $node.NodeName
            DomainName       = $Node.DomainName
            Credential       = $DomainCred
            DependsOn        = '[xWaitForADDomain]DscForestWait'
        }

        WindowsFeature RemoveSMB1
        {
            Name           = 'FS-SMB1'
            Ensure         = 'Absent'

        }

        WindowsFeature RemovePowerShellV2Engine
        {
            Name           = 'PowerShell-V2'
            Ensure         = 'Absent'

        }       

        WindowsFeature DSCServiceFeature
        {
            Ensure           = "Present"
            Name             = "DSC-Service"
        }
        
        xDscWebService PSDSCPullServer
        {
            Ensure                   = "Present"
            EndpointName             = "PSDSCPullServer"
            Port                     = 8080
            PhysicalPath             = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
            CertificateThumbPrint    = "$CertThumbPrint"
            ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
            ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
            State                    = "Started"
            UseSecurityBestPractices = $True
            DependsOn                = "[WindowsFeature]DSCServiceFeature"

        }

        xDscWebService PSDSCComplianceServer
        {
            Ensure                   = "Present"
            EndpointName             = "PSDSCComplianceServer"
            Port                     = 9080
            PhysicalPath             = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
            CertificateThumbPrint    = "$CertThumbPrint"
            State                    = "Started"
            UseSecurityBestPractices = $True
            DependsOn                = "[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer"
        }

        File RegistrationKey 
        {
            Ensure           = 'Present'
            DestinationPath  = "$env:PROGRAMFILES\WindowsPowershell\DscService\registrationKeys.txt"
            Contents         = $node.RegistrationKey
            Type             = 'File'
        }

        WindowsFeature IISManagement 
        {
            Name             = "Web-Mgmt-Service"
            Ensure           = "Present"
            DependsOn        = "[xDSCWebService]PSDSCPullServer"
        }

        Registry RemoteManagement 
        {
            Key              = "HKLM:\SOFTWARE\Microsoft\WebManagement\Server"
            ValueName        = "EnableRemoteManagement"
            ValueData        = "1"
            ValueType        = 'Dword'
            DependsOn        = "[xDSCWebService]PSDSCPullServer",'[WindowsFeature]IISManagement'
        }

        Service StartWMSVC 
        {
            Name             = "WMSVC"
            StartupType      = "Automatic"
            State            = "Running"
            DependsOn        = "[Registry]RemoteManagement"
        }
        
        Registry PowerShellDefaulShell
        {
            Key              = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
            ValueName        = "Shell"
            ValueData        = "Powershell.exe -noExit"
            ValueType        = 'String'
        }

    }

}

$SetUpSecurePullServerParams = @{

    configurationData = "C:\DSC\Config Data\DSCPullServer1.psd1"
    OutputPath        = "C:\DSC\pull"
    CertThumbPrint    = "4AB3A39D05FFA3BD209AF02A5E96D6323CD8EBF6"
    DomainCred        = (Get-Credential -Credential Test\Administrator)
}

SetUpSecurePullServer @SetUpSecurePullServerParams

November 9, 2017 at 9:00 pm

And the config data for my test lab.


@{
    AllNodes = 
    @(
        @{
            NodeName                      = 'DSCPullServer1'
            Role                          = 'Pull Server'
            PSDSCAllowPlainTextPassword   = $true
            PSDscAllowDomainUser          = $true
            IPAddress                     = '192.168.222.102'
            DNSServerAddress              = '192.168.222.100'
            DefaultGatewayAddress         = '192.168.222.2'
            InterfaceAlias                = 'Ethernet0'
            AddressFamily                 = 'IPv4'
            PrefixLength                  = '24'
            DomainName                    = 'test.local'
            RetryCount                    = 50 
            RetryIntervalSec              = 30
            RegistrationKey               = '2ab527e3-538f-45c0-a720-aeb9bb6527ae'
        }
    )
}

November 13, 2017 at 3:30 pm

Thanks! I'll give your code a shot. I appreciate it.

For the record, i tried the following:

– Stand up 2016 GUI server
– Install IIS by GUI
– Install IIS Console by GUI
– Use IIS GUI to request Certificate
– Use certreq.exe to submit request with -attrib:"CertificateTemplate:WebServer"
– Complete certificate request using IIS GUI
– Test SSL binding to port 443 on default IIS website (success)
– Export certificate
– Import certificate to cert:\localmachine\my
– Run pullserver.ps1
– start-dscconfiguration mof

Using this methodology with a known, good certificate, I'm back to getting the "A specified logon session does not exist. It may already have been terminated" error during the "Add and Set Site Properties" step of the Pull Server setup. I'm going to compare my code with yours and then try yours and see what happens. Thanks again for providing it!

Edit: Looks like you're creating a Domain Certificate, not a WebServer certificate! That might be the difference right there. Thanks for digging up your notes!