Errors setting up xDSCWebService for Pull Server

Welcome Forums DSC (Desired State Configuration) Errors setting up xDSCWebService for Pull Server

Viewing 8 reply threads
  • Author
    Posts
    • #44277
      Participant
      Topics: 2
      Replies: 18
      Points: 0
      Rank: Member

      This will probably get really long, so I apologize in advance. I am thorough.

      Steps so far:
      Installed Gui 2012 R2, ran all updates.
      Installed WMF 5.0.
      Running all newest DSC cmdlets and xDSC cmdlets. Everything super clean.
      Followed instructions here: https://msdn.microsoft.com/en-us/powershell/dsc/pullserver
      Specifically, the “configuration Sample_xDscPullServer”

      Result so far:
      The last step (installing DSC Service/IIS) errored out, not good. I’m not sure if it matters or not, but the errors make me nervous, as this is the second time trying to set this thing up, and the first time I ran into a plethora of buggy looking things and I am wondering if they are related to the xDSCWebService resource.

      This is the verbose output logged in a json file:

      Also, here are the Events Logged by DSC as Windows Events; some of the information is the same as above. also, these events are in Reverse order. Sorry.

      I’m not sure if this means that the Resource is broken, or simply throwing errors due to not having fit and finish checks in place to avoid unneeded error messages. I’ll probably be digging into the project page and looking at the code pretty soon. In the meantime, I wanted to post what I’m seeing, in case it helps anyone else in the future.

      I’ll try to register an Agent, which did not work correctly the last time I tried. I eventually got it sort of working, but after undocumented troubleshooting steps, so I’m starting over from scratch. This time, I have a Hyper-V checkpoint, so it won’t be so much trouble to go back.

    • #44285
      Participant
      Topics: 2
      Replies: 18
      Points: 0
      Rank: Member

      So,

      I’m still getting the same error I got last time, on the IIS side, where it says this is an Unauthorized response to Register a Node/Agent,

      I do get the XML output from navigating to https://kyle-dsc.home.local:8080/PSDSCPullServer.svc/ , so the server is up and GET requests seem successful (Cert is also good). The PUT requests for adding the Node/Agent fail, and I have no idea what is going on internally.

      I have to add some more details now.

      This is my LCM config I’m pushing from the Pull Server:

      Also, to let you know, I also tried “AllowUnsecureConnection = $true”, with no change.

      Further details:

      PowerShell Version – 5.0.10586.117
      xPSDesiredStateConfiguration Version – 3.10.0.0 – xDSCWebService was updated like 19 days ago?

      Am I missing something? Am I a complete idiot?

      I can sort of fix this by fiddling with IIS, but I don’t want to do that because it didn’t fix everything reliably.

      I also noticed there are a lot of commits recently to xPSDesiredStateConfiguration recently, so maybe that’s part of my issue and others might not have seen it in the past?

    • #44299
      Participant
      Topics: 5
      Replies: 261
      Points: -19
      Rank: Member

      Hi,

      can you also post your pull server creation script and the commands you used to create it as well, please ?

      I assume you already have a mof and checksum for the configurationname value residing in the configuration subfolder ?

    • #44497
      Participant
      Topics: 2
      Replies: 18
      Points: 0
      Rank: Member

      “can you also post your pull server creation script and the commands you used to create it as well, please ?”

      I did, by mentioning this:

      Followed instructions here: https://msdn.microsoft.com/en-us/powershell/dsc/pullserver
      Specifically, the “configuration Sample_xDscPullServer”

      I could have been more clear, though. The command is simply running the configuration and supplying the Cert thumbprint and GUID registration key, then compiling the configuration and an mof and applying the configuration. It is the same as on the Documentation.

      I captured this in my personal notes: “Start-DscConfiguration -Path .\Sample_xDscPullServer -Wait -Verbose -ComputerName localhost”

      “I assume you already have a mof and checksum for the configurationname value residing in the configuration subfolder ?”

      Yes, but that shouldn’t affect the Registration of a node, right? Hopefully not, anyway. (As a side note: I got pulls sort of working on the first Pull server attempt, put the checksum failed, so that is probably another bug to tackle later)

      The problem I’m running into is I think there are some bugs in the IIS configuration, but difficult to prove, as the configuration is quite complex and I haven’t been able to entirely follow the code on Github. I get to the general area, but my lack of IIS knowledge sort of hinders my investigation.

    • #44499
      Participant
      Topics: 2
      Replies: 18
      Points: 0
      Rank: Member

      Well, I finally figured out how to setup trace logs for IIS. Here comes the info!

      This is what I’m seeing that is telling:

      remoteUserName=”PSDSCUser”
      userName=”PSDSCUser”
      tokenUserName=”HOME\KYLE-DSC$”
      authenticationType=”PSDSCAuthentication”

      I’m not familiar with what is meant by that Authentication Type.

      I have no idea what or where PSDSCUser is.

      It confirms I’m indeed getting a 401.3 error, which normally means the issue is local NTFS rights. I would concur, because I can make some changes and sort of get it working, although I haven’t done that this time just yet.

      https://support.microsoft.com/en-us/kb/942042

      The PSWS Application Pool is configured to run as LocalSystem.

      The PSDSCPullServer Site is configured only with Anonymous Authentication set to use IUSR locally.

      I’m thinking something is up with the authentication settings, and perhaps other issues as well. I will continue to investigate further.

    • #44502
      Participant
      Topics: 2
      Replies: 18
      Points: 0
      Rank: Member

      So,

      I’m getting different responses after messing with the IIS rights. I’ve changed the user Identity of the PSWS Application Pool to run as ApplicationPoolIdentity, so I can then setup the rights to the Site based upon the PSWS Identity User as Full Permissions. I’m still running into issues, but they aren’t the same 401.3 error as before. Registration of the node appears to still be sort of broken. Instead of erroring out quickly, it sits and runs for a good long time (401 seconds). It throws an error. The output is this:

      It pulls the ‘test’ configuration, but doesn’t seem to apply it correctly, as it is for some odd reason set to “Ensure = ‘absent'” on the Pull client.

      The failure does not appear to be registered in the event logs:

      After all of that, I decided to set the Site’s Anonymous Authentication to use the Application Pool Identity user instead of IUSR to see what would happen, because I already set the Application Pool to use that same user. Figured, why not try it?

      Doesn’t work, same stuff.

      I decided to change the PSWS Identity back to LocalSystem, and I’m directly back to Unauthorized. Ok, the original symptom is directly related to this setting.

      I decided to set it to “Network Service” instead, and add NTFS Full Access Permissions to the Site for Network Service.

      Now I’m back to the same thing about it being really slow to apply the LCM configuration and it sits there for a long time, and sort of kind of works but doesn’t work.

      Ok, I’m basically back to where I started and I have no idea what the hell is going on. I set the Identity and Authentication back to original settings, and Unauthorized is back. :'(

    • #44504
      Participant
      Topics: 2
      Replies: 18
      Points: 0
      Rank: Member

      OMG,

      I decided to take a look at my RegistrationKeys.txt after looking through the IIS trace again and realizing it also told me (very long file) that the Registration Key was not valid…

      I check the file, and find out it is filled with the contents of the Certificate Thumbprint! The certificate thumbprint is also set correctly, so I didn’t think anything of it previously.

      I had these same issue on my last server, where I did set the RegistrationKeys.txt correctly (I checked), but for some reason this one is now apparently registering correctly. What in da heck?

      I’m obviously totally mental. Well, I can’t argue with the results. I’m still having issues with ‘test’ config, so I’ll open another forum post for that if I can’t figure it out myself. Until then, I suppose this is resolved by me making some kind of mistake that I didn’t notice until now.

    • #44512
      Participant
      Topics: 5
      Replies: 261
      Points: -19
      Rank: Member

      For future reference:

      Dont change the application pool identity of PSWS. It has to be LocalSystem. That’s how it was designed to work.
      At least until a point in the future when or if they change it.

    • #44552
      Participant
      Topics: 27
      Replies: 51
      Points: 0
      Rank: Member

      Hi Kyle,

      Did you make any headway into the error:

      Error Message: The expression after ‘&’ in a pipeline element produced an object that was not valid. It must result in a
      command name, a script block, or a CommandInfo object.
      Message ID: BadExpression
      Error Category: 7
      Error Code: 7
      Error Type: MI

      I am getting the same exact error when trying to create my pull server. I have gone to the extent of totally rebuilding the machine from a ISO so I know there are no remnants of old settings haunting me. I don’t want to even try to set node configurations until I get a clean Pull Server build. If you figured anything out I would greatly appreciate your insights.

      Thanks,

      Ed

      • #44826
        Participant
        Topics: 2
        Replies: 18
        Points: 0
        Rank: Member

        Ed,

        So far, they seem to be errors we can ignore. At least as far as I have seen.

        I re-ran the configuration after rebuilding the mof, and it created the registration key file correctly, so I must have stupidly pasted the Thumbprint twice. Other than that, most everything is working. I am having an issue with “ConfigurationNames = ” when there is more than one configuration, which I’ll post about shortly. I doubt that is related to the non-terminating errors associated with the Pull Server setup resources.

Viewing 8 reply threads
  • The topic ‘Errors setting up xDSCWebService for Pull Server’ is closed to new replies.