Author Posts

June 23, 2014 at 11:13 pm

Hi,

i have set up a working http pull server (Windows 2008 R2 SP1). Now i want to change the server to https.

What i have done so far:
1)Created a self signed certificate (Server Authentication, Client authentication, Exportalbe)
2)Imported the certificate (machine) to Personal, and Trusted Root Certification
3)in IIS i have created a https binding to the site with the imported certificate
4)configured the LCM with the cert thumbprint and https url (AllowUnsecureConnection=false)
AllowModuleOverwrite : True
CertificateID : 277E16A219CA3F003672DCC0703AA3310A0924FA
ConfigurationID : cf4fd7e6-d958-4981-b757-22c99f911b71
ConfigurationMode : ApplyAndAutoCorrect
ConfigurationModeFrequencyMins : 60
Credential :
DownloadManagerCustomData : {MSFT_KeyValuePair (key = "ServerUrl"), MSFT_KeyValuePair (key = "AllowUnsecureConnection")}
DownloadManagerName : WebDownloadManager
RebootNodeIfNeeded : True
RefreshFrequencyMins : 15
RefreshMode : Pull
PSComputerName :

If i try to get configuration i get the followoing error:
Invoke-CimMethod : Failed to get the action from server
https://pspullserver/PSDSCPullServer/PSDSCPullServer.svc/Action(ConfigurationId='cf4fd7e6-d958-4981-b757-22c99f911b71')/GetAction.
At C:\DSC\Invoke-DscPull.ps1:35 char:5
+ Invoke-CimMethod @parameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (root/microsoft/...gurationManager:String) [Invoke-CimMethod], CimException
+ FullyQualifiedErrorId : WebDownloadManagerGetActionFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand,Microsoft.Management.Infrast
ructure.CimCmdlets.InvokeCimMethodCommand
+ PSComputerName : localhost

I i launch the url in the browser i get this error:
This error (HTTP 405 Method Not Allowed) means that Internet Explorer was able to connect to the website, but the site has a programming error.

i can successfully open the svc url:
https://pspullserver/PSDSCPullServer/PSDSCPullServer.svc

Please let me know what i could have done wrong here.

BTW: Are there any resources on how to setup a pull server with a certificate?

Thanks in advance

June 24, 2014 at 12:21 am

I am sorry i had a typo in the CN Name of the certificate. In eventviewer i then found this message:
[Thumbprint]
72C5D88EE62ADF3D4338DFA11D8B380ED68EF9D3
[b]RemoteCertificateNameMismatch[/b].

Thanks

June 24, 2014 at 4:39 am

You have to configure the pull server, not the LCM, to have the certificate – I'm not clear if you've done that. And, your LCM configuration still says to use Http. Also, self-signed certificates won't really work for pull. You need to use a cert that is trusted by pulling nodes.

July 28, 2018 at 10:18 am

Hello,

I started with DSC watching Jason and Jefrrey Snover's videos at MVA.

I'm trying to configure an HTTPS Pull Server on a Windows Server 2012 with WMF 5.1 an got stuck with an error. Before showing what the error is, let me give you an idea of the steps I performed.

  1. I prepared a PKI infrastructure for my domain and generated a valid (nonself-signed) certificate
  2. I setup the pull server (using the MVA scripts/configurations) with the thumbprint's certificate.
    The server is running correctly either in the browser (https://vmdt01.dggh.es:8080/PSDSCPullServer.svc) or using the verify-DSCPullserver function
  3. Then I set the following LCM configuration for a specific node and it ran correctly.
    [DSCLocalConfigurationManager()]
    Configuration LCM_HTTPSPULL 
    {
        param
            (
                [Parameter(Mandatory=$true)]
                [string[]]$ComputerName,
    
                [Parameter(Mandatory=$true)]
                [string]$guid
    
            )      	
    	Node $ComputerName {
    	
    		Settings {
    		
    			AllowModuleOverwrite = $True
                ConfigurationMode = 'ApplyAndAutoCorrect'
    			RefreshMode = 'Pull'
    			ConfigurationID = $guid
                }
    
                ConfigurationRepositoryWeb DSCHTTPS {
                    ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                    CertificateID = '9F00EDBDFB791C7AAD9200E9E0BA8FD59684B419'
                    AllowUnsecureConnection = $False
                }
    	}
    }
    
    # Computer list 
    $ComputerName='VCONTAB6-W10'
    
    # Create the Computer.Meta.Mof in folder
    LCM_HTTPSPULL -ComputerName $ComputerName -Guid '64cf90fc-6e55-4e62-9dff-c45e61dc429a' -OutputPath E:\DSC\HTTPS
    
  4. I generated the configuration for the node, naming the mof file with the configurationId guid, and afterwards generated a checksum file with `New-DSCChecksum` cmdlet.

The problem arises when I want to invoke

Update-DscConfiguration -Computer VCONTAB6-W10 -Verbose -Wait

DETALLADO: Realice la operación 'Invocar método de CIM' con los parámetros siguientes, "methodName' = PerformRequiredConfigurationChecks,'className' = MSFT_DSCLocalConfi
gurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
DETALLADO: Se recibió una llamada de método de LCM desde el equipo VMDT01 con el SID de usuario S-1-5-21-1960408961-299502267-725345543-500.
DETALLADO: [VCONTAB6-W10]: [] Ejecutando Get-Action con la suma de comprobación de la configuración 64cf90fc-6e55-4e62-9dff-c45e61dc429a: 6f063
a91179d512336175d89c76d61844a3f789417b2519466c220838bca2fd2.
DETALLADO: [VCONTAB6-W10]: [] Error al configurar Get-Action con la suma de comprobación de la configuración 64cf90fc-6e55-4e62-9dff-c45e61dc42
9a. Comprueba que el servidor de extracción está disponible.
No se pudo obtener la acción del servidor https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Action(ConfigurationId='64cf90fc-6e55-4e62-9dff-c45e61dc429a')/GetAction.
+ CategoryInfo : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : WebDownloadManagerGetActionFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand
+ PSComputerName : vcontab6-w10

The most relevant part states:

Error while configuring Get-Action with the checksum of configuration 64cf90fc-6e55-4e62-9dff-c45e61dc429a

But if delete checksum file, I get the same error. So I undesrtand the error has nothing to do with the checksum

If I paste the url https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Action(ConfigurationId='64cf90fc-6e55-4e62-9dff-c45e61dc429a')/GetAction I get a 405 http error – Method not allowed

If a lookup the event viewer I get:

Trabajo {7D3448B5-924C-11E8-A151-000C296AF402}:
Comando Do-DscAction de WebDownloadManager para configuración 64cf90fc-6e55-4e62-9dff-c45e61dc429a, resultado de llamada GET:
+ FullyQualifiedErrorId : WebDownloadManagerGetActionFailed
+ CategoryInfo : InvalidResult: (:) [], InvalidOperationException
+ ExceptionMessage : No se pudo obtener la acción del servidor https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Action(ConfigurationId='64cf90fc-6e55-4e62-9dff-c45e61dc429a')/GetAction.
+ InnerException : System.AggregateException: Se han producido uno o varios errores. —> System.Net.Http.HttpRequestException: Error al enviar la solicitud. —> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. —> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. —> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto
en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
— Fin del seguimiento de la pila de la excepción interna —
en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
— Fin del seguimiento de la pila de la excepción interna —
en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
— Fin del seguimiento de la pila de la excepción interna —
— Fin del seguimiento de la pila de la excepción interna —
en System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
en Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(IHttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord)
—> (Nº de excepción interna 0) System.Net.Http.HttpRequestException: Error al enviar la solicitud. —> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. —> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. —> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto
en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)
en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)
— Fin del seguimiento de la pila de la excepción interna —
en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
— Fin del seguimiento de la pila de la excepción interna —
en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
— Fin del seguimiento de la pila de la excepción interna —< — The most relevant part states:

Error sending request

Cannot write data on transport connection

This resource, https://www.jofe.ch/be-aware-of-dsc-pull-server-compatibility-issues-with-wmf-5-0-and-5-1/, points out the problems that may arise when having different WMF versions in the client and the server.
I'm trying to pull a configuration to a W10 Pro workstation, which has WMF 5.1 built-on, from a Windows Server 12 with WMF 5.1 installed. Therefore, I'm not in that incompatibility case, but I get the very same error described when WMF are different.

Just to prove:

  • Server 2012 + WMF 5.1
    Name Value
    —- —–
    PSVersion 5.1.14409.1012
    PSEdition Desktop
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
    BuildVersion 10.0.14409.1012
    CLRVersion 4.0.30319.36440
    WSManStackVersion 3.0
    PSRemotingProtocolVersion 2.3
    SerializationVersion 1.1.0.1
  • Client Windows 10 Pro 1709

    Name Value
    —- —–
    PSVersion 5.1.16299.547
    PSEdition Desktop
    PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
    BuildVersion 10.0.16299.547
    CLRVersion 4.0.30319.42000
    WSManStackVersion 3.0
    PSRemotingProtocolVersion 2.3
    SerializationVersion 1.1.0.1

Another thing I've checked is that the W10 client should have .Net Framework 4.5.2 installed, because WMF 5.1 requires it to function properly. Doing that didn't solve the problem neither.

At that point I'm stuck and can get to find where is the problem. Could you pleae give me any hint of what may I be doing wrong?

July 28, 2018 at 10:20 am

Since I could'nt delete a duplicated post, I deleted the content.
Original post: #105526