Error "A specified logon session does not exist" when setting up Pull Server

This topic contains 8 replies, has 2 voices, and was last updated by  Formica 1 week ago.

  • Author
    Posts
  • #83239

    Formica
    Participant

    Hello,

    I am using The DSC Book (forever edition) as a guide for setting up a DSC Pull Server. (Yes, I paid for it 🙂 I can't get it to work and I am currently stumped. This is my first post, so please let me know if I am doing it wrong.

    The environment is a very simple Windows 2016 domain. It has:

    • A DC that also runs DNS and Certificate Services, 2016 Server Core
    • A utility server that runs 2016 GUI with Management Tools
    • A system dedicated to being a DSC Pull Server, 2016 Server Core

    As noted above, I did create my own Certificate Service server, and issued a root certificate which is stored in cert:\localmachine\my on the target servers.

    I tried installing a Pull Server on both the 2016 Server Core system as well as the 2016 GUI system, since The DSC Book notes that xPSDesiredStateConfiguration has had issues with Server Core. However, it errors out exactly the same way, in the same place.

    I am not doing any remoting other than RDP (i.e. no WinRM or SSH). All systems are virtual machines running on ESX.

    What appears to be the core error – "A specified logon session does not exist. It may already have been terminated" – seems to be associated with CredSSP double hop issues, as well as the formatting of credentials on Azure (name@domain vs DOMAIN\name). I tried applying the MOF logged in both ways, and it fails the same way regardless.

    Everything is running Powershell 5.1 and WMF 5.1. NuGet is version 2.8.5.208. Module Versions:

    • PSDSCResources 2.8.0.0
    • PsDesiredStateConfiguration 1.1
    • xPsDesiredStateConfiguration 7.0.0.0

    The symptoms are:

    The IIS site for the Pull Server is physically present but not running. I cannot get to the URL for the Pull Server. The Pull Server site does not show up in IIS Manager. I get multiple errors while applying the MOF to the node.

    I get a logon error when configuring the IIS site:

    A specified logon session does not exist. It may already have been terminated
        + CategoryInfo          : NotSpecified: (:) [], CimException
        + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
        + PSComputerName        : myServer-dsc01.myServer.lab
    

    I also get an error about DestinationPath and directories, which is confusing, as the only place I'm using DestinationPath is File RegistrationKeyFile, and I'm specifying a file, not a directory:

    File RegistrationKeyFile {
      Ensure = 'Present'
      Type = 'File' # not directory
      DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
      Contents = $registrationKey
    }
    

    Yet I still get this error:

    DestinationPath cannot be a directory for current configuration. Specify Force if you want to perform the configuration.  The related ResourceID is [File]RegistrationKeyFile.
        + CategoryInfo          : InvalidArgument: (:) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        : darkmeld-dsc01.darkmeld.lab
    

    The RegistrationKeys.txt file exists, but it's empty.

    I get this error at the end:

    The PowerShell DSC resource '[xDSCWebService]PSDSCPullServer' with SourceInfo 'C:\dsc_stuff\dscsetup-pullserver-mof.ps1::45::5::xDSCWebService' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
        + CategoryInfo          : InvalidOperation: (:) [], CimException
        + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
        + PSComputerName        : myServer-dsc01.myServer.lab
    
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 1
        + PSComputerName        : myServer-dsc01.myServer.lab
    

    The referenced ETW logs do not show anything new, they merely repeat the already displayed error information. I do include the ETW output below for completeness; maybe I missed something.

    I found this:


    DSC Pull Server Deploy Errors – xDscWebServiceRegistration

    This person was getting the same error, but it went away when he stopped using a self-signed certificate. (I also noticed a line missing from the DSC Book version of setting up a pull server regarding the Registration Key Path, and added it). I suppose it's possible there is something wrong with my certificate setup, but to be candid this is the first time I've set up Certificate Services and a Certificate Authority. I did so according to this guide and got no errors while I was doing so:

    Install and Configure Certificate Authority in Windows Server 2016

    Here's the configuration:

    configuration myServerDscPullServer {
      param (
        # name of DSC pull server
        [Parameter(Mandatory=$true)]
        [string[]]$nodeName,
        # thumbprint of root certificate
        [Parameter(Mandatory=$true)]
        [string]$certificateThumbPrint,
        # GUID for registration
        [Parameter(Mandatory=$true)]
        [string]$registrationKey
      )
      Import-DscResource -ModuleName xPSDesiredStateConfiguration
      # avoid warning
      Import-DscResource -ModuleName PSDesiredStateConfiguration
    
      Node $nodeName {
        # windows features - experimenting using DSC for these instead of install-windowsfeature
        WindowsFeature DSCServiceFeature {
          Ensure = 'Present'
          Name = 'dsc-service'
        }
        WindowsFeature IISFeature {
          Ensure = 'Present'
          Name = 'web-server'
        }
        WindowsFeature IISMgmt {
          Ensure = 'Present'
          Name = 'web-mgmt-service'
          DependsOn = '[WindowsFeature]IISFeature'
        }
        # windows services - experimenting instead of using powershell to configure
        Service IISService {
          Name = 'w3svc'
          StartupType = 'Automatic'
          State = 'Running'
        }
        # errors out on mgmt service - add pause?
        Service WebMgmtService {
          Name = 'wmsvc'
          StartupType = 'Automatic'
          State = 'Running'
        }
        # installing pull server from experimental module - watch out for bugs on server core
        xDSCWebService PSDSCPullServer {
          Ensure = 'Present'
          EndpointName = 'PSDSCPullServer'
          Port = 8023 # instead of 8080 because 23
          # why double quotes? only for filesystem stuff?
          PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer\"
          CertificateThumbPrint = $certificateThumbPrint
          ModulePath = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
          ConfigurationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
          State = 'Started'
          DependsOn = @('[WindowsFeature]DSCServiceFeature','[WindowsFeature]IISFeature','[WindowsFeature]IISMgmt','[Service]IISService')
          # this line is missing from the DSC book script?
          RegistrationKeyPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\RegistrationKeys.txt"
          UseSecurityBestPractices = $true
        }
        File RegistrationKeyFile {
          Ensure = 'Present'
          Type = 'File'
          DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
          Contents = $registrationKey
        }
        # try again?
        Service WebMgmtService2 {
          Name = 'wmsvc'
          StartupType = 'Automatic'
          State = 'Running'
        }
      }
    }
    myServerDscPullServer -nodeName "myServer-dsc01.myServer.lab" -certificateThumbPrint "myThumbprint" -registrationKey "myRegistrationKey"
    

    Here's the output of Start-DscConfiguration: (note that there's no error about the certificate)

    PS C:\dsc_stuff> Start-DscConfiguration -path .\myServerDscPullServer\ -wait -verbose
    VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
    VERBOSE: An LCM method call arrived from computer myServer-DSC01 with user sid mySid.
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' started: dsc-service
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' succeeded: DSC-Service
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[WindowsFeature]DSCServiceFeature]  in 2.4410 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Installation started...
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Continue with installation?
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing started...
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing succeeded.
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Installation succeeded.
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]DSCServiceFeature] Successfully installed the feature dsc-service.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[WindowsFeature]DSCServiceFeature]  in 79.5740 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[WindowsFeature]DSCServiceFeature]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]IISFeature]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]IISFeature]
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISFeature] The operation 'Get-WindowsFeature' started: web-server
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISFeature] The operation 'Get-WindowsFeature' succeeded: Web-Server
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[WindowsFeature]IISFeature]  in 1.1130 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Skip   Set      ]  [[WindowsFeature]IISFeature]
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[WindowsFeature]IISFeature]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[WindowsFeature]IISMgmt]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[WindowsFeature]IISMgmt]
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] The operation 'Get-WindowsFeature' started: web-mgmt-service
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] The operation 'Get-WindowsFeature' succeeded: Web-Mgmt-Service
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[WindowsFeature]IISMgmt]  in 0.5790 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[WindowsFeature]IISMgmt]
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Installation started...
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Continue with installation?
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Prerequisite processing started...
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Prerequisite processing succeeded.
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Installation succeeded.
    VERBOSE: [myServer-DSC01]:                            [[WindowsFeature]IISMgmt] Successfully installed the feature web-mgmt-service.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[WindowsFeature]IISMgmt]  in 16.3530 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[WindowsFeature]IISMgmt]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[Service]IISService]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[Service]IISService]
    VERBOSE: [myServer-DSC01]:                            [[Service]IISService] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='w3svc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
    VERBOSE: [myServer-DSC01]:                            [[Service]IISService] Operation 'Query CimInstances' complete.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[Service]IISService]  in 2.2080 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Skip   Set      ]  [[Service]IISService]
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[Service]IISService]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[Service]WebMgmtService]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[Service]WebMgmtService]
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='wmsvc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Operation 'Query CimInstances' complete.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Startup type for service 'WMSvc' is 'Manual'. It does not match 'Automatic'.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[Service]WebMgmtService]  in 0.2040 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[Service]WebMgmtService]
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Service 'wmsvc' already exists. Write properties such as Status, DisplayName, Description, Dependencies will be ignored for existing services.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='wmsvc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Operation 'Query CimInstances' complete.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Perform operation 'Invoke CimMethod' with following parameters, ''instance' = Win32_Service: Web Management Service (Name = "WMSvc"),'methodName' = Change,'namespaceName' = root/cimv2'.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Operation 'Invoke CimMethod' complete.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService] Service 'wmsvc' started.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[Service]WebMgmtService]  in 1.0810 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[Service]WebMgmtService]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[xDSCWebService]PSDSCPullServer]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[xDSCWebService]PSDSCPullServer]
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Check Ensure
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] The Website PSDSCPullServer is not present
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[xDSCWebService]PSDSCPullServer]  in 1.6290 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[xDSCWebService]PSDSCPullServer]
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Create the IIS endpoint
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Setting up endpoint at - https://myServer-DSC01:8023/PSDSCPullServer.svc
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Checking IIS requirements
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Delete the App Pool if it exists
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Remove the site if it already exists
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Create the bin folder for deploying custom dependent binaries required by the endpoint
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Adding App Pool
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Set App Pool Properties
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Add and Set Site Properties
    A specified logon session does not exist. It may already have been terminated
        + CategoryInfo          : NotSpecified: (:) [], CimException
        + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
        + PSComputerName        : myServer-dsc01.myServer.lab
    
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] p11
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Enabling firewall exception for
     port 8023
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Disable Inbound Firewall
    Notification
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Add Firewall Rule for port 8023
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Set values into the web.config
    that define the repository later than BLUE OS
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Only ESENT is supported on
    Windows Server 2016
    VERBOSE: [myServer-DSC01]:                            [[xDSCWebService]PSDSCPullServer] Pull Server: Set values into
    the web.config that indicate the location of repository, configuration, modules
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]  [[xDSCWebService]PSDSCPullServer]  in 5.5770 seconds.
    The PowerShell DSC resource '[xDSCWebService]PSDSCPullServer' with SourceInfo
    'C:\dsc_stuff\dscsetup-pullserver-mof.ps1::45::5::xDSCWebService' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
        + CategoryInfo          : InvalidOperation: (:) [], CimException
        + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
        + PSComputerName        : myServer-dsc01.myServer.lab
    
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[File]RegistrationKeyFile]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[File]RegistrationKeyFile]
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[File]RegistrationKeyFile]  in 0.4860 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Set      ]  [[File]RegistrationKeyFile]
    VERBOSE: [myServer-DSC01]:                            [[File]RegistrationKeyFile] DestinationPath cannot be a directory for current configuration. Specify Force if you want to perform the configuration.
    DestinationPath cannot be a directory for current configuration. Specify Force if you want to perform the configuration.  The related ResourceID is [File]RegistrationKeyFile.
        + CategoryInfo          : InvalidArgument: (:) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        : myServer-dsc01.myServer.lab
    
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Resource ]  [[Service]WebMgmtService2]
    VERBOSE: [myServer-DSC01]: LCM:  [ Start  Test     ]  [[Service]WebMgmtService2]
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService2] Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT * FROM Win32_Service WHERE Name='wmsvc','queryDialect' = WQL,'namespaceName' = root\cimv2'.
    VERBOSE: [myServer-DSC01]:                            [[Service]WebMgmtService2] Operation 'Query CimInstances'
    complete.
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Test     ]  [[Service]WebMgmtService2]  in 0.2350 seconds.
    VERBOSE: [myServer-DSC01]: LCM:  [ Skip   Set      ]  [[Service]WebMgmtService2]
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Resource ]  [[Service]WebMgmtService2]
    VERBOSE: [myServer-DSC01]: LCM:  [ End    Set      ]
    The SendConfigurationApply function did not succeed.
        + CategoryInfo          : InvalidArgument: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : MI RESULT 4
        + PSComputerName        : myServer-dsc01.myServer.lab
    
    VERBOSE: Operation 'Invoke CimMethod' complete.
    VERBOSE: Time taken for configuration job to complete is 115.124 seconds
    PS C:\dsc_stuff>
    

    Any ideas? I am stumped.

    Thanks,

    Formica

  • #83536

    Alex Aymonier
    Participant

    With this DSC stuff it can be tricky at 1st but when it works you get that 'Voila' moment and all is good with the world. Looking at the verbose output i can see "Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\" Is the cert for the pull server site on the pull server? Are you able to set the pull server as not secured 1st then once that is sweet add the next layer of securing it etc. etc

    • #83749

      Formica
      Participant

      Thanks for your reply, I appreciate it. Also, sorry for screwing up my formatting so bad. I went back and changed the tags so it looks like it should now.

      The line you're referring to:

      VERBOSE: [myServer-DSC01]:[[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\

      ... given the context looks like it's an action, that is, it's verbose output about what step it's on, in this case verifying the presence of the certificate. To put it another way, it's in Yellow, not Red. I just went and looked again and verified that the certificate referred to by the submitted thumbprint is in fact present in cert:\LocalMachine\My.

      The initial error is referring to some kind of logon, but it's so vague I can't put my finger on what kind of logon trouble it is having, or what process or service is authenticating to AD, etc.

      I will try your suggestion and see if it works in an insecure mode.

      Does anyone else have any input or suggestions, now that my code is readable and not a horrible mess? 🙂

      Thanks,

      Formica

    • #83812

      Formica
      Participant

      Hi Alex,

      I tried a bare-bones Pull Server setup without SSL, and it did work. So perhaps you're right, maybe it is something to do with my certificate. I'm able to generate and issue a certificate for SSL on IIS using the IIS 10 GUI on another IIS 10 server. I've tried using that mechanism and substituting the Distinguished Name of my Pull Server in the request and using the resulting certificate, but that isn't working either; I get the same error.

      I know it's a bit off topic, but can anyone point me to a link on how to correctly generate the certificate I need for a Pull Server? I feel like I'm 95% of the way there but I'm missing some key thing.

      Edit: I got the Pull Server to install correctly with DSC! I still can't generate the correct certificate for the Pull Server, so I can't make authenticated connections over SSL. However if I ignore SSL errors I get the expected XML output when I hit the URL. Any input on how to generate the correct certificate for the Pull Server would be greatly appreciated!

      Thanks,

      Formica

  • #83840

    Alex Aymonier
    Participant

    That's good to know. At least we know the pull server is set up correctly. Do you have the root cert for your CA on the client in the trusted root that is trying to connect to the Pull server?

    • #83843

      Formica
      Participant

      Hi Alex,

      Thank you so much for replying. I really appreciate your help.

      In answer to your question, I think so. Using the IIS Manager on a different IIS server, I can go to Server Certificates -> Create Certificate Request... and then submit that to the AD CS server using certreq.exe. I can take the resulting .cer file and go to Server Certificates -> Complete Certificate Request... After that, I can assign the resulting certificate to an https binding and get a properly authenticated SSL connection to that IIS endpoint with no warnings or errors, and if I examine the certificate, the root of the trust is indeed my AD CS server.

      What's even more frustrating is that, if I use IIS Manager to connect to the Server Core instance running my DSC Pull Server, the Server Certificates option does not even show up in IIS Manager. So I can't even manually try to fix the binding or create a request for a certificate. I am considering just starting over and trying all of this on a GUI Server instead of Server Core and manually setting up the certificate for the DSC Pull Server in IIS Manager since apparently that works.

      Even more frustrating when I compare the certificate I describe above with the one I'm generating for the DSC Pull Server, it looks... correct. The only difference is the subject. I've tried adding more SANs at the command line, FQDN, hostname only, IP address... none of it seems to make any difference. I just can't get the right certificate hooked up to the Pull Server site in IIS.

      All of that said, I know it's possible to make this work since everyone else apparently can do it! I feel like I'm just not using the right search terms or something, and that somewhere out there, there's a guide that will show me the key piece of information I am missing. I'm also experimenting with the xCertificate module for DSC, but so far I haven't had any luck with it.

      Let me know what kind of diagnostic information or screenshots would be illuminating for you and I'll try to sanitize them and share them. And really, thank you again for taking the time to help me. It means a lot! If anyone else has any opinions or advice, please chime in 🙂

      Best,

      Formica

  • #83891

    Alex Aymonier
    Participant

    Hey Formica,

    Thought i had posted up my pull serer code yesterday but looks like it did not go up correctly. Lets try again.

    These notes are on my script but it wont let me post in the code section for some reason

    start inetmgr
    Expand The server site
    Double Click Server Certificates
    Click “Create Domain Certificate” on the right side panel under actions
    Common Name = Full Qualified Domain Name of Pull Server Example:DSCPullServer1.test.local
    Fill in: Organization, Organizational Unit, City, State with whatever you'd like
    Click Next
    Hit select next to specify online certification authority
    select your server and hit OK
    Input a Friendly name of DSCPullServerCert
    Finish

    ### Export and import the Cert

    From the IIS manager select the certificate PSDSCPullServerCert
    On the right hand side click export under actions
    Hit the … to browse
    Navigate to the Pull servers system drive Example [\ZPull01\c$]
    Input a password
    click OK

    Remote to DSC Pull Server and run

    $pwd = Read-Host -AsSecureString
    Import-PfxCertificate -Password $PWD -FilePath C:\DSCPullServerCert.pfx -CertStoreLocation cert:\localmachine\my

    Make a note of the thumbprint as this will be used to secure the Pull Server.

    #>

    
    Configuration SetUpSecurePullServer
    {
    
        Param
        (
    
            [Parameter(Mandatory)]
            [string]
            $CertThumbPrint,
    
            [Parameter(Mandatory)]
            [pscredential]
            $DomainCred
    
        )
    
        Import-DscResource -ModuleName xActiveDirectory,xNetworking,PSDesiredStateConfiguration,xComputerManagement,xPSDesiredStateConfiguration
    
        Node $AllNodes.Where{$_.Role -eq "Pull Server"}.Nodename
        {
    
            xIPAddress IPAddress
            {
                IPAddress        = $Node.IPAddress
                InterfaceAlias   = $Node.InterfaceAlias
                PrefixLength     = $node.PrefixLength
            }
    
            xDNSServerAddress DNSServerAddress
            {
                Address          = $node.DNSServerAddress
                InterfaceAlias   = $Node.InterfaceAlias
                AddressFamily    = $node.AddressFamily
            }
            
            xDefaultGatewayAddress DefaultGatewayAddress
            {
                Address          = $node.DefaultGatewayAddress
                InterfaceAlias   = $Node.InterfaceAlias
                AddressFamily    = $node.AddressFamily
            }
    
            xWaitForADDomain DscForestWait
            {
                DomainName       = $Node.DomainName
                RetryCount       = $Node.RetryCount
                RetryIntervalSec = $Node.RetryIntervalSec
                DependsOn        = '[xDNSServerAddress]DNSServerAddress' 
            }
    
            xcomputer computername
            {
                Name             = $node.NodeName
                DomainName       = $Node.DomainName
                Credential       = $DomainCred
                DependsOn        = '[xWaitForADDomain]DscForestWait'
            }
    
            WindowsFeature RemoveSMB1
            {
                Name           = 'FS-SMB1'
                Ensure         = 'Absent'
    
            }
    
            WindowsFeature RemovePowerShellV2Engine
            {
                Name           = 'PowerShell-V2'
                Ensure         = 'Absent'
    
            }       
    
            WindowsFeature DSCServiceFeature
            {
                Ensure           = "Present"
                Name             = "DSC-Service"
            }
            
            xDscWebService PSDSCPullServer
            {
                Ensure                   = "Present"
                EndpointName             = "PSDSCPullServer"
                Port                     = 8080
                PhysicalPath             = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
                CertificateThumbPrint    = "$CertThumbPrint"
                ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
                ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
                State                    = "Started"
                UseSecurityBestPractices = $True
                DependsOn                = "[WindowsFeature]DSCServiceFeature"
    
            }
    
            xDscWebService PSDSCComplianceServer
            {
                Ensure                   = "Present"
                EndpointName             = "PSDSCComplianceServer"
                Port                     = 9080
                PhysicalPath             = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
                CertificateThumbPrint    = "$CertThumbPrint"
                State                    = "Started"
                UseSecurityBestPractices = $True
                DependsOn                = "[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer"
            }
    
            File RegistrationKey 
            {
                Ensure           = 'Present'
                DestinationPath  = "$env:PROGRAMFILES\WindowsPowershell\DscService\registrationKeys.txt"
                Contents         = $node.RegistrationKey
                Type             = 'File'
            }
    
            WindowsFeature IISManagement 
            {
                Name             = "Web-Mgmt-Service"
                Ensure           = "Present"
                DependsOn        = "[xDSCWebService]PSDSCPullServer"
            }
    
            Registry RemoteManagement 
            {
                Key              = "HKLM:\SOFTWARE\Microsoft\WebManagement\Server"
                ValueName        = "EnableRemoteManagement"
                ValueData        = "1"
                ValueType        = 'Dword'
                DependsOn        = "[xDSCWebService]PSDSCPullServer",'[WindowsFeature]IISManagement'
            }
    
            Service StartWMSVC 
            {
                Name             = "WMSVC"
                StartupType      = "Automatic"
                State            = "Running"
                DependsOn        = "[Registry]RemoteManagement"
            }
            
            Registry PowerShellDefaulShell
            {
                Key              = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
                ValueName        = "Shell"
                ValueData        = "Powershell.exe -noExit"
                ValueType        = 'String'
            }
    
        }
    
    }
    
    $SetUpSecurePullServerParams = @{
    
        configurationData = "C:\DSC\Config Data\DSCPullServer1.psd1"
        OutputPath        = "C:\DSC\pull"
        CertThumbPrint    = "4AB3A39D05FFA3BD209AF02A5E96D6323CD8EBF6"
        DomainCred        = (Get-Credential -Credential Test\Administrator)
    }
    
    SetUpSecurePullServer @SetUpSecurePullServerParams
    
    
    • #84154

      Formica
      Participant

      Thanks! I'll give your code a shot. I appreciate it.

      For the record, i tried the following:

      – Stand up 2016 GUI server
      – Install IIS by GUI
      – Install IIS Console by GUI
      – Use IIS GUI to request Certificate
      – Use certreq.exe to submit request with -attrib:"CertificateTemplate:WebServer"
      – Complete certificate request using IIS GUI
      – Test SSL binding to port 443 on default IIS website (success)
      – Export certificate
      – Import certificate to cert:\localmachine\my
      – Run pullserver.ps1
      – start-dscconfiguration mof

      Using this methodology with a known, good certificate, I'm back to getting the "A specified logon session does not exist. It may already have been terminated" error during the "Add and Set Site Properties" step of the Pull Server setup. I'm going to compare my code with yours and then try yours and see what happens. Thanks again for providing it!

      Edit: Looks like you're creating a Domain Certificate, not a WebServer certificate! That might be the difference right there. Thanks for digging up your notes!

  • #83893

    Alex Aymonier
    Participant

    And the config data for my test lab.

    
    @{
        AllNodes = 
        @(
            @{
                NodeName                      = 'DSCPullServer1'
                Role                          = 'Pull Server'
                PSDSCAllowPlainTextPassword   = $true
                PSDscAllowDomainUser          = $true
                IPAddress                     = '192.168.222.102'
                DNSServerAddress              = '192.168.222.100'
                DefaultGatewayAddress         = '192.168.222.2'
                InterfaceAlias                = 'Ethernet0'
                AddressFamily                 = 'IPv4'
                PrefixLength                  = '24'
                DomainName                    = 'test.local'
                RetryCount                    = 50 
                RetryIntervalSec              = 30
                RegistrationKey               = '2ab527e3-538f-45c0-a720-aeb9bb6527ae'
            }
        )
    }
    
    

You must be logged in to reply to this topic.