Failure joining on-prem to Azure DSC Automation

This topic contains 8 replies, has 3 voices, and was last updated by  yamfiddler 1 week, 5 days ago.

  • Author
    Posts
  • #83260

    yamfiddler
    Participant

    Hello,

    I'm having difficulties joining a Windows machine to Azure DSC automation. I'm getting the following error:

    Registration of the Dsc Agent with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX failed. The underlying error is: The attempt to register Dsc Agent with AgentId
    XXXXXXXXXXXXXXXXXXXXXX with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXX') returned unexpected response code
    Unauthorized. .
        + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
        + FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
        + PSComputerName        : AZURE-TEST
    

    Here is my meta mof config

    param (
    [Parameter(Mandatory=$True)]
            [String]$RegistrationUrl,
    
            [Parameter(Mandatory=$True)]
            [String]$RegistrationKey,
    
            [Parameter(Mandatory=$True)]
            [String[]]$ComputerName,
    
            [Int]$RefreshFrequencyMins = 30,
    
            [Int]$ConfigurationModeFrequencyMins = 15,
    
            [String]$ConfigurationMode = "ApplyAndMonitor",
    
            [String]$NodeConfigurationName
               
    )
    
    [DscLocalConfigurationManager()]
    Configuration DscMetaConfigs
    {
    
        param
        (
            [Parameter(Mandatory=$True)]
            [String]$RegistrationUrl,
    
            [Parameter(Mandatory=$True)]
            [String]$RegistrationKey,
    
            [Parameter(Mandatory=$True)]
            [String[]]$ComputerName,
    
            [Int]$RefreshFrequencyMins = 30,
    
            [Int]$ConfigurationModeFrequencyMins = 15,
    
            [String]$ConfigurationMode = "ApplyAndMonitor",
    
            [String]$NodeConfigurationName,
    
            [Boolean]$RebootNodeIfNeeded= $False,
    
            [String]$ActionAfterReboot = "ContinueConfiguration",
    
            [Boolean]$AllowModuleOverwrite = $False,
    
            [Boolean]$ReportOnly = $False
        )
    
        if(!$NodeConfigurationName -or $NodeConfigurationName -eq "")
        {
            $ConfigurationNames = $null
        }
        else
        {
            $ConfigurationNames = @($NodeConfigurationName)
        }
    
        if($ReportOnly)
        {
        $RefreshMode = "PUSH"
        }
        else
        {
        $RefreshMode = "PULL"
        }
    
        Node $ComputerName
        {
    
            Settings
            {
                RefreshFrequencyMins = $RefreshFrequencyMins
                RefreshMode = $RefreshMode
                ConfigurationMode = $ConfigurationMode
                AllowModuleOverwrite = $AllowModuleOverwrite
                RebootNodeIfNeeded = $RebootNodeIfNeeded
                ActionAfterReboot = $ActionAfterReboot
                ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins
            }
    
            if(!$ReportOnly)
            {
            ConfigurationRepositoryWeb AzureAutomationDSC
                {
                    ServerUrl = $RegistrationUrl
                    RegistrationKey = $RegistrationKey
                    ConfigurationNames = $ConfigurationNames
                }
    
                ResourceRepositoryWeb AzureAutomationDSC
                {
                ServerUrl = $RegistrationUrl
                RegistrationKey = $RegistrationKey
                }
            }
    
            ReportServerWeb AzureAutomationDSC
            {
                ServerUrl = $RegistrationUrl
                RegistrationKey = $RegistrationKey
            }
        }
    }
    
    DscMetaConfigs -RegistrationUrl $RegistrationUrl -RegistrationKey $RegistrationKey -ComputerName $env:COMPUTERNAME -NodeConfigurationName $NodeConfigurationName  
    

    I have a script that allows an end user to put in the necessary information (Registration keys, URL etc..), generates the meta mof then feeds it to the LCM. But I get the aforementioned error when I try to execute.

    Here is the relevant DSC event error log

    Job {6E7C0C83-BD69-11E7-BD75-005056852B86} : 
    Http Client XXXXXXXXXXXXXXXXXXXXXX failed for WebReportManager for configuration 
    FullyQualifiedErrorId :ReportManagerSendStatusReportUnsuccessful
     CategoryInfo:InvalidResult: (:) [], InvalidOperationException
     ExceptionMessage:The attempt to send status report to the server https://azureserver/accounts/XXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXXXXX')/SendReport returned unexpected response code Unauthorized.
    , InnerException
    .
    

    Does anybody have any ideas on what could be the problem?

  • #83263

    Geraldo
    Participant

    Hey,
    I struggled with this as well. and I ended up with getting my config from local and reporting to Azure.

    Settings
    {
    RefreshMode = 'Pull'
    RefreshFrequencyMins = 30
    ConfigurationModeFrequencyMins = 15;
    ConfigurationMode ="ApplyAndAutocorrect";
    ActionAfterReboot = "ContinueConfiguration"
    AllowModuleOverwrite = $true;
    RebootNodeIfNeeded = $true
    }

    ConfigurationRepositoryWeb MYLOCALPULLSERVER
    {
    ServerURL = 'https://LOCALDSCPULL:8080/PSDSCPullServer.svc'
    RegistrationKey = 'COMPUTER_GUID'
    ConfigurationNames = "NAME_OF_CONFIG"
    }

    #Report to Azure Automation.
    ReportServerWeb AzureAutomationDSC
    {
    ServerUrl = "https://wcus-agentservice-XXX.azure-automation.net/accounts/"
    RegistrationKey = "EKGJpnXXXXXXXXX__EncryptionKeyLikeRegistrationKey___5BiUbBY3Lnjd3MN5pJ0kmw=="
    }

    Can you try something like this....

    Note that RegistrationKey to AZURE is the key that you'll get from Portal on Account Settings -> Keys.

    Hope that helps.

  • #83276

    yamfiddler
    Participant

    Unfortunately, my business requirements don't fit in with that solution. Adding a local pull server to each location is not an option.

    The key used was the primary one in Account Settings -> Keys and it still fails. I'll keep trying, if I come up with a solution I'll make sure to post it here.

  • #83282

    yamfiddler
    Participant

    Update!

    So I tested my script on a Windows 2008 Server (Upgraded powershell to 5.1), and it connected without a problem. So whatever the issue is it seems to be affecting Windows 10 Enterprise/That virtual machine only... I'll try and do some more testing to see if I can narrow the problem down more. If anybody has any ideas feel free to post them.

    Edit:
    So it appears to continue fail on fresh versions of Windows 2016 and Windows 10 Enterprise

  • #83372

    Michael Greene
    Participant

    With exactly the same script? In the past when I have hit this error it was either in my script or something was preventing network traffic. I'm happy to work with you on this if you would like to DM me on Twitter – @migreene.

  • #83398

    yamfiddler
    Participant

    @michael Thanks for the offer, I followed you and sent you a tweet, follow me back so I can DM you.

    Regarding the script:
    The script does multiple things to get the machine ready it's purposes. Everything else is fine, but once it gets to the part where it's joined to Azure, that's when it fails. The section basically looks like this

    
    #get the necessary input, no empty strings allowed
    do {
            $url = Read-Host "Enter registration URL "  
        }  while ([string]::IsNullOrEmpty($url))
    
        do { 
            $key = Read-Host "Enter registration key "
        }  while ([string]::IsNullOrEmpty($key))
    
        do { 
            $NodeConf = Read-Host "Enter configuration name "
        } while ([string]::IsNullOrEmpty($NodeConf))
    
        $compn = $env:COMPUTERNAME
    
    # Create the metamof
    try {
          Write-host "Executing meta configuration..." -ForegroundColor Yellow -BackgroundColor Black
          .\nodeconfig.PS1 -RegistrationUrl $url -RegistrationKey $key -ComputerName $compn -NodeConfigurationName $NodeConf
        }
        catch {
            Write-host "Error when building the NODE configuration. Make sure NODE config exists" 
        }
        
    # Start the LCM configuration
        try {
            Set-DscLocalConfigurationManager .\DscMetaConfigs\ -Verbose -Force -ErrorAction Stop     < ----------Failure
        }
        catch {
            Write-Host "Error occured! `n" -ForegroundColor Yellow -BackgroundColor Red
        }
    
    
    

    So the .\nodeconfig.PS1 is the meta config I posted in my first post, the url,key,config,computer are given, the meta config is created, then executed. And that's when this error occurs.

    I disabled the Windows firewall on the machine that I'm testing and there are no network restrictions from the subnet the machine is on that is executing the script. I checked the metaconfig to make sure all the values were correct and I didn't see anything wrong with it. I did a line by line comparison between the metaconfig generated on the Windows 08 server and the one generated on the Windows 2016 and it was all the same. Frankly I'm a bit stumped.

  • #83401

    yamfiddler
    Participant

    So I just tried on my personal machine and it worked fine... The only discernible difference that I can tell, is that the 08 server and my machine are licensed windows machines. The Win Server 2016 and Win 10 Enterprise 2016 are on eval licenses just for testing purposes, can anybody confirm if this has anything to do with it?

  • #83411

    Michael Greene
    Participant

    No, no connection between DSC and the licensing state of the node

  • #83764

    yamfiddler
    Participant

    So I've done a lot of testing to try and narrow it down. As Michael mentioned before, it was either the network or the script. In this case it appears to be the script. When I hardcode the url, key and node configuration. It works without any problems. When I use the aforementioned configuration in the OP it fails, only some of the time? It's strange. It's appears that the variables aren't being passed in correctly causing the authentication to fail which why I keep getting the "Unauthorized" message.

    I have also noticed that some dsc clients will still join even after the failure message.

You must be logged in to reply to this topic.