Error using registrationkey for pull server

This topic contains 13 replies, has 6 voices, and was last updated by Profile photo of Arie H Arie H 5 months, 2 weeks ago.

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #35896
    Profile photo of Jeremy Murrah
    Jeremy Murrah
    Participant

    Trying to get a couple of clients to pull configs from a pull server, and whenever I change it from using a configuration ID to using a config name with registration key, I get this error:

    MIResult: 1
    Error Message: Registration of the Dsc Agent with the server https://PSDSCPullServerCert:8080/PSDSCPullServer.svc failed. The underlying error is: The attempt to register Dsc Agent with AgentId 478DDCD3-DBC9-11E5-80FD-0050569E1347 with the server https://psdscpullservercert:8080/PSDSCPullServer.svc/Nodes(AgentId='478DDCD3-DBC9-11E5-80FD-0050569E1347') returned unexpected response code Unauthorized. .
    Message ID: RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    Error Category: 8
    Error Code: 1
    Error Type: MI

    I'm not really sure how to troubleshoot any further. I tried grabbing the xDSCDiagnostics module, but that didn't really tell me anything different. I did notice that the error is the same if I purposefully mess up the registration key guid in the config. I couldn't see any matching log files on the pull server side, but I did grab a netmon capture just to make sure it's actually getting the traffic.

    Any ideas where to go from here? I should note that the server I'm using was a pull server with version 4, and my general screw-around-with-stuff box, so it might be time to just whack it and start fresh.

    #35904
    Profile photo of Don Jones
    Don Jones
    Keymaster

    A v4 pull server doesn't support configuration names or registration.

    #35917
    Profile photo of Jeremy Murrah
    Jeremy Murrah
    Participant

    it's not v4 anymore, I installed v5 the other day when it was re-released. Just wanted to mention it in case there's any known issues with an upgraded pull server.

    #35926
    Profile photo of Ed O'Connor
    Ed O’Connor
    Participant

    I had a similar issue and resolved it by deleting the Web site and recreating the site by modifying the Sample_xDSCWebService.ps1 in the xPSDesiredStateConfiguration module. Also, make sure you are using the latest module version (3.7.0.0 I think).
    One other thing is to ensure that the web.config file has the correct entries:

    https://msdn.microsoft.com/en-us/powershell/wmf/dsc_nodeid

    https://blogs.msdn.microsoft.com/powershell/2015/05/29/how-to-register-a-node-with-a-dsc-pull-server/

    #35953
    Profile photo of Jeremy Murrah
    Jeremy Murrah
    Participant

    So I built a brand new 2012R2 server, installed .net 4.5 then WMF5, downloaded the latest xPSDesiredStateConfiguration module and configured the pull server with the public example script. Couple of questions:

    1. Should I have a PSDSCServer.svc file in c:\inetpub\PSDSCPullServer?
    2. Should I be able to browse to https://dscpullserver:8080/PSDSCPullServer.svc from internet explorer?
    3. Is a client authentication certificate from a trusted internal CA sufficient for SSL encryption on the pull server and does it have to have a particular subject name?
    4. Should my PSDSCPullServer website have anonymous authentication enabled instead of windows authentication?

    #35958
    Profile photo of Don Jones
    Don Jones
    Keymaster

    1. Yes. Make sure the pull server role/feature is installed.

    2. No, not really. It isn't a web page.

    3. A client authentication certificate isn't an SSL certificate. But an internally issued SSL certificate would be fine.

    4. Usually, yes.

    #35961
    Profile photo of Jeremy Murrah
    Jeremy Murrah
    Participant

    ah there it is! Some how I ended up with the line

    IsComplanceServer = $True
    

    in my xDscWebService configuration block for the pull server. Looks like that caused it to populate the folder with only the compliance engine files instead of the pull server files. No idea where that line came from, but I was doing some pretty heavy copy/paste action there. Maybe that was a throwback to some v4 config or something. Anyway, thanks for the help.

    Oh and it turns out you can browse to the pull server in IE, you jus get a wad of xml. Turned out to be pretty helpful in troubleshooting though, as the 500 and 404 errors I was seeing in the browser clicked in my brain better than the same errors in the script output. I dunno.

    #36133
    Profile photo of Arie H
    Arie H
    Participant

    Should probably put a sticky on this forum to not use the Sample_xPSDesiredStateConfiguration.ps1 until they actually bring it to v5 levls of documentation as the github repo states.

    A FAQ or similar *hint* *hint* *nudge* *nudge*

    This is going to cause some headaches 😉

    #36134
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Stuck. And if you want to author a FAQ item, I'll add it to the site!

    #36162
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Because this is stickied, I also want to point out that, as of the initial re-release of WMF5, DSC pull servers need to be on the full server with a GUI, not on Server Core. This isn't by design, it's a bug, but right now the dependencies aren't getting installed on Server Core correctly. So the pull server won't work unless it's on full GUI, right now.

    #36724
    Profile photo of Nana Lakshmanan
    Nana Lakshmanan
    Participant

    The documentation for setting up DSC pull server is now updated. https://msdn.microsoft.com/en-us/powershell/dsc/pullserver Following the steps as outlined in this should help you setup the pull server correctly including on server core

    #36740
    Profile photo of Arie H
    Arie H
    Participant

    The online documentation wasnt that "bad" 🙂

    The problem is the samples that come with the module, Even in the new updated version you just posted, you still have the ComplianceServer in the Sample_xDscWebService.ps1

    #37599
    Profile photo of Michael Maher
    Michael Maher
    Participant

    Hi Arie,

    Right on with your comment regarding the Samples. The Samples are important because they are used in the server set-up (you kindly gave me this pointer yesterday)

    https://msdn.microsoft.com/en-us/powershell/dsc/pullserver

    The Sample_xDscWebService.ps1 script in the PowerShell Gallery/PackageMgmt is March 31st 2016.
    http://www.powershellgallery.com/packages/xPSDesiredStateConfiguration/3.9.0.0

    The Sample_xDscWebService.ps1 script in GitHub is April 4th 2016.
    https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/dev/Examples/Sample_xDscWebService.ps1

    The difference is significant. Just look at the Param block for example.

    Gallery Version

        param 
        (
            [string[]]$NodeName = 'localhost',
    
            [ValidateNotNullOrEmpty()]
            [string] $certificateThumbPrint
        )
    

    GitHub Version

        param  
        ( 
                [string[]]$NodeName = 'localhost', 
    
                [ValidateNotNullOrEmpty()] 
                [string] $certificateThumbPrint,
    
                [Parameter(Mandatory)]
                [ValidateNotNullOrEmpty()]
                [string] $RegistrationKey 
         ) 
    

    Michael

    #37701
    Profile photo of Arie H
    Arie H
    Participant

    My original comment was march 6, when the xPSDSC Resource was ver 3.7.0.0. Month and half later, were at 3.9.0.0 and they have changed it.

    So perhaps Don should unstick the threads and instead leave a very distinct call to everyone to make sure they use the latest version, and to make sure any example code they see on the web should be dated march 2016 and onwards, else there will be mishaps when they run them.

    I still see brand new repos on github with dsc samples using old versions of the scripts from with the old resource versions, and it make me cringe, so I try to leave a note for the repo owner, usually.

    At the moment i only download from github, its faster and i get to dl dev
    versions to try them.

    As for that specific code you pasted, the changes are more of taste then of content. The real changes are the removal of the IsCompliance property which caused issues, back when the original question was valid.

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.