Unable to Pull configuration using WMF 4 Pull server

This topic contains 6 replies, has 2 voices, and was last updated by Profile photo of Bjørn Roalkvam Bjørn Roalkvam 4 months, 4 weeks ago.

  • Author
    Posts
  • #46697
    Profile photo of Bjørn Roalkvam
    Bjørn Roalkvam
    Participant

    Hi
    Using Windows server 2012R2 with the KB2883200 installed. I have set up a Pull Server using a certificate.

    Iam unable to get my node to fetch confiurations from the pull server.
    Using the get.xDscOperation I find the following error:

    WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command, GET Url: PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction.
    WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command with server url: https://vm06.contoso.com:8080/PSDSCPullServer.svc.
    Attempting to get the action from pull server using Download Manager WebDownloadManager. Configuration Id is 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b. Checksum is . Compliance status is true.
    Configuration is sent from computer NULL by user sid S-1-5-21-195968190-741174349-770780043-93293.
    This event indicates that failure happens when LCM is trying to get the configuration from pull server using download manager WebDownloadManager. ErrorId is 0x1. ErrorDetail is Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction.
    WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command, GET call result: Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction..
    Message One or more errors occurred. 
    HResult -2146233088 
    StackTrack    at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       at Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(HttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord)
    WebDownloadManager processed certificate: [Subject]
      CN=DscSecure
    
    

    and

    Thumbprint]
      12437D58F28E4E52B63B0FBCF0E34CF4C8BD8797
    RemoteCertificateNameMismatch, RemoteCertificateChainErrors.
    Configuration is sent from computer NULL by user sid S-1-5-21-195968190-741174349-770780043-93293.
    This event indicates that failure happens when LCM is trying to get the configuration from pull server using download manager WebDownloadManager. ErrorId is 0x1. ErrorDetail is Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction.
    WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command, GET call result: Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction..
    Message One or more errors occurred. 
    HResult -2146233088 
    StackTrack    at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
       at Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(HttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord)
    WebDownloadManager processed certificate: [Subject]
      CN=DscSecure
    

    Trying to open my pull server site on target node or pull server gives me "There's a problem with this website's security certificate". I have not manually set a certificate onto the pull server site in IIS.

    My configuration is as follows:

    #CERT
    $Certificate = "dscSecure"
    $certSubject = "CN=$Certificate"
    $keysFolder = Join-Path $env:SystemDrive -ChildPath "Keys"
    $cert = dir Cert:\LocalMachine\My | ? { $_.Subject -eq $certSubject }
    if (! (Test-Path $keysFolder ))
    {
        md $keysFolder | Out-Null
    }
    
    #Copy publickey to folder
    $certPath = Export-Certificate -Cert $cert -FilePath (Join-Path $keysFolder -ChildPath "$Certificate.cer") -Force
    
    #CERT PUBLIC for PULL SERVER
    #This is done on the configuration server, The pfx (private key will only be on the node server)
    #Import the public key to trustedroot if it does not already exist there.
    $Existingcert = @()
    $Existingcert += dir Cert:\LocalMachine\Root | % {$_.Subject}
    If(!($Existingcert.where({$_ -eq $certSubject})))
    {
        Import-Certificate -FilePath ($certPath.FullName) -CertStoreLocation Cert:\LocalMachine\Root > $null
    }
    
    #CREATE REGKEY
    $RegKey = [guid]::newGuid() #Current a5d8b762-5102-4082-b088-be9c671975df
    $Thumbprint = (Dir Cert:\LocalMachine\my | ? {$_.Subject -eq "CN=$Certificate"}).Thumbprint #12437D58F28E4E52B63B0FBCF0E34CF4C8BD8797
    
    
    $ConfigurationData = @{
        AllNodes = @(
            @{
                NodeName="*"
                PSDscAllowPlainTextPassword=$true
                PSDscAllowDomainUser = $true
             }
            @{
                NodeName='localhost'
             }
        )
    }
    
    
    configuration DscWebService
    {
        param 
        (
            [string[]]$NodeName = 'localhost',
            [ValidateNotNullOrEmpty()] [string] $certificateThumbPrint
        )
    
        Import-DSCResource -ModuleName xPSDesiredStateConfiguration 
        Import-DscResource –ModuleName PSDesiredStateConfiguration
    
        Node $AllNodes.NodeName 
        {
            WindowsFeature DSCServiceFeature
            {
                Ensure = "Present"
                Name   = "DSC-Service"            
            }
    
            WindowsFeature Auth
            {
                Ensure = "Present"
                Name   = "web-windows-Auth"            
            }
    
            xDscWebService PSDSCPullServer
            {
                Ensure                  = "Present"
                EndpointName            = "PSDSCPullServer"
                Port                    = 8080
                PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
                CertificateThumbPrint   = $certificateThumbPrint         
                ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
                ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"            
                State                   = "Started"
                DependsOn               = "[WindowsFeature]DSCServiceFeature"                        
            }
    
            xDscWebService PSDSCComplianceServer
            {
                Ensure                  = "Present"
                EndpointName            = "PSDSCComplianceServer"
                Port                    = 9080
                PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
                CertificateThumbPrint   = $certificateThumbPrint
                State                   = "Started"
                #IsComplianceServer      = $true
                DependsOn               = @("[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer")
            }
        }
    }
    
    #RUN CONFIGURATION
    $MofConfigFile = DscWebService -ConfigurationData $configurationData -certificateThumbPrint $Thumbprint -OutputPath c:\Configs\PullServer
    
    # This creates a MOF at:
    $MofConfigDirectory = $MofConfigFile.DirectoryName
    ii $MofConfigDirectory
    
    #RUN MOF
    Start-DscConfiguration -Path $MofConfigDirectory -Wait -verbose -ComputerName "localhost" -force
    

    Then copying certificate to node:

    
    #NODE
    $Node = 'vm05'
    
    #COPY PFX TO NODE
    $block =
    {
    $Certificate = "dscSecure"
    $CertificatePwd = "Password99"
    $NewPath = "C:\$Certificate.pfx"
    
    $mypwd = ConvertTo-SecureString -String $CertificatePwd -Force –AsPlainText
    Import-PfxCertificate –FilePath $NewPath cert:\localMachine\my -Password $mypwd
    
    }
    Set-Content "\\share\import_sert.ps1" $block
    
    #Import private key to nodes
    copy "\\share\$Certificate.pfx" \\$Node\c$
    copy "\\share\import_sert.ps1" \\$Node\c$
    
    $testscriptblock = 
    {
        powershell C:\import_sert.ps1
    }
    
    Invoke-Command -ComputerName $Node -ScriptBlock $testscriptblock
    
    
    #CREATE CHECKSUM FOR MODULES
    New-DSCCheckSum -ConfigurationPath 'C:\Program Files\WindowsPowerShell\DscService\Modules' -OutPath 'C:\Program Files\WindowsPowerShell\DscService\Modules'
    
    /pre> 
    
    
    
    Configuring the LCM
    
    
    
    
     
    
    #GUID FOR EACH TARGET NODE
    $guid = '3f2fb53d-129c-44ff-8fcc-cc2a55ab738b' #[Guid]::NewGuid().ToString() #
    
    
    #LCM
    $ConfigData = @{
        AllNodes = @(
            @{
                NodeName="*"
                PSDscAllowPlainTextPassword=$true
                PSDscAllowDomainUser = $true
                CertificateFile = "C:\keys\$Certificate.cer"
                Thumbprint = $Thumbprint
             }
            @{
                NodeName = $Node
                NodeGuid = $guid
             }
        )
    }
    
    Configuration ConfigureTargetLCMs 
    {
    
        Node $AllNodes.NodeName
        {
            LocalConfigurationManager 
            {
                CertificateId                 = $Node.Thumbprint
                ConfigurationID                = $Node.NodeGuid;
                RefreshMode                    = "PULL";
                AllowModuleOverwrite           = $true
                DownloadManagerName            = "WebDownloadManager";
                RebootNodeIfNeeded             = $true;
                RefreshFrequencyMins           = 15;
                ConfigurationModeFrequencyMins = 15; 
                ConfigurationMode              = "ApplyAndAutoCorrect";
                DownloadManagerCustomData      = @{
                ServerUrl               = "https://vm06.contoso.com:8080/PSDSCPullServer.svc"}
            }
        }
    }
    
    ConfigureTargetLCMs -ConfigurationData $ConfigData -nodename $Node -OutputPath c:\Configs\TargetNodes
    New-DSCCheckSum -path C:\Configs\TargetNodes
    
    
    #REMOTE SET
    Write-Host "Starting CimSession"
    $pwd = read-host
    $pass = ConvertTo-SecureString $pwd -AsPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential ("contoso\user", $pass)
    $cim = New-CimSession -ComputerName $Node -Credential $cred
    
    Write-Host "Writing config"
    Set-DscLocalConfigurationManager -CimSession $cim -Path C:\Configs\TargetNodes -Verbose
    
    # read the config settings back to confirm
    Get-DscLocalConfigurationManager -CimSession $cim
    
    
    #TEST pull
    cd '\\share'
    .\Invoke-PullonNode.ps1 -computername $Node
    cd C:\windows\System32
    
    
    #REMOVE OLD dscConfiguration from node:
    $Session = New-CimSession -ComputerName $node -Credential $cred
    Remove-DscConfigurationDocument -Stage Current -CimSession $Session 
    
    

    Here is the configuration I want the node vm05 to get:

    $ConfigurationData = @{
        AllNodes = @(
            @{
                NodeName="*"
                PSDscAllowPlainTextPassword=$true
                PSDscAllowDomainUser = $true
             }
            @{
                NodeName="vm05"
                NodeGuid = '3f2fb53d-129c-44ff-8fcc-cc2a55ab738b' # $guid #
                CertificateFile = 'C:\Keys\dscSecure.cer'
                Thumbprint = $Thumbprint # '12437D58F28E4E52B63B0FBCF0E34CF4C8BD8797'
             }
        )
    }
    
    Configuration WindowsManagementFrameWork5
    {
    param ([Parameter(Mandatory=$true)] [ValidateNotNullorEmpty()] [PSCredential] $Credential)
    
        
        Import-DscResource –ModuleName PSDesiredStateConfiguration
        Import-DscResource –ModuleName xWindowsUpdate
    
    
        Node $AllNodes.NodeName     
        {        
                    
            xHotfix PowerShell5
            {
                    Ensure = "Present"
                    Id = "KB3134758"
                    Path = "\\share\Win8.1AndW2K12R2-KB3134758-x64.msu"
                    Credential = $cred
            }
        }
    }
    
    WindowsManagementFrameWork5 -ConfigurationData $configurationData -Credential $cred -OutputPath C:\Configs\TargetNodes
    
    #Here I change name of the mof to 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b.mof, then run the:
    New-DSCCheckSum -path C:\Configs\TargetNodes
    
    #Then copy this to the C:\Program Files\WindowsPowerShell\DscService\Configuration. I have made sure that i have both modules zipped with their checksum; xPSDesiredStateConfiguration_3.12.0.0.zip and xWindowsUpdate_2.5.0.0.zip
    
    

    Any tips or advice are welcome!

    Brgs

    Bjørn.

  • #46738
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Based on, "RemoteCertificateNameMismatch, RemoteCertificateChainErrors," I'd say the problem is definitely in the certificate. Either the name on the certificate is wrong, or it isn't chaining up to a trusted CA. So, what happens here, and why the LCM's debug output isn't all that useful, is that the LCM is just asking Windows to establish the connection. That's not happening, and so the LCM itself doesn't have a ton of good data. It just knows it failed. But triple-check the CN on the certificate, and make sure that it's fully trusted by the node.

    In terms of manually setting an SSL cert on the pull server, you just do that in IIS Manager as with any other website. It isn't special.

  • #46859
    Profile photo of Bjørn Roalkvam
    Bjørn Roalkvam
    Participant

    Hi Don,
    Thank you for the reply.

    Ill check the CN on the certificate tomorrow. Europe time 🙂

    So if I get this right, ill need to use two certificates:

    1)
    Pull Server:
    When creating a https Pull Server, the certificate I use her should have the Pull Server in CN right?
    Do I need to transfer the Pull Servers .cer (Public key to the node)?

    2)
    Node:
    I create all node configurations on my Pull Server.

    So when creating a configuration for my node, ill have to use the .cer certificate (public key) from my node's self-signed certificate PFX (has cn=node.domain.com) to encrypt credentials that I have in the configuration so that the node can decrypt the data.

    When setting up the LCM configuration for the node to pull configuration, I use the same certificate (target node's .cer, public key) to set the LCM remotely from Pull Server right?

    Please correct me if I'm wrong, I'm by no means good at certificates.

    Brgs

    Bjørn Roalkvam

  • #46878
    Profile photo of Don Jones
    Don Jones
    Keymaster

    A pull server is just a Web server. The SSL certificate is installed in IIS, and the CN in the certificate must match whatever the clients are using to query the pull server. If they're trying to query https://barney.funland.org, then that's what needs to be the CN in the certificate. Nodes don't get a copy of this any more than you get a copy of Amazon's certificate ;). However, the nodes must TRUST the certificate, which means whatever CA issued it must be configured as a trusted root on the nodes.

    Certificates used to encrypt credentials in a MOF are entirely different. I would focus first on getting your SSL certificate correct. But you've got the basic idea correct. However:

    "I use the same certificate (target node's .cer, public key) to set the LCM remotely from Pull Server right?"

    I don't know what that means. "set the LCM remotely from pull server" doesn't compute for me.

  • #46903
    Profile photo of Bjørn Roalkvam
    Bjørn Roalkvam
    Participant

    Hi Don,

    Thank you, that was clearly explained.

    With the part:

    I use the same certificate (target node's .cer, public key) to set the LCM remotely from Pull Server right?

    I just meant that I'm logged onto the Pull Server and from there using cim to set the node's LCM with:

    $Session = New-CimSession –ComputerName "Server01" –Credential ACCOUNTS\PattiFuller
    Set-DscLocalConfigurationManager -Path "C:\DSC\Configurations\" -CimSession $Session

    But in the LCM configuration I have then used the public key that was exported from the target node's PFX certificate. Is it recommended to encrypt LCM configurations this way?

    brgs

    Bjørn

  • #46941
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Hmm. OK.

    First of all, you don't "remotely set the LCM from the Pull Server." Yes, you can use Set-DscLocalConfigurationManager to remotely configure the LCM, but you can do that from _any_ computer – it doesn't have to be a pull server. In fact, it's almost never the pull server. Here's why: if you _remotely_ log into the pull server (Enter-PSSession), then you're going to have authentication problems reaching the node's LCM. If you're logging into the pull server's console, or via RDP, then _you are doing it wrong_. You really shouldn't be logging into servers that way. That's why Nano doesn't have a console or support RDP. So usually, you're configuring the LCM remotely, either from a workstation, or from an orchestration solution. Or, you're configuring it by means of MOF injection, talking to it through Hyper-V cmdlets, etc.

    So. You're currently bypassing the authentication problem by specifying credentials, but very honestly, this is a poor practice. There's no reason this has to come from the pull server.

    "But in the LCM configuration I have then used the public key that was exported from the target node's PFX certificate. Is it recommended to encrypt LCM configurations this way?"

    I've no idea why you would encrypt the LCM's configuration, no. Yes, you would specify the node-local certificate that it will use to decrypt credentials within a MOF, but I don't know what benefit you would have in encrypting the meta-MOF used to configure the LCM.

  • #46953
    Profile photo of Bjørn Roalkvam
    Bjørn Roalkvam
    Participant

    Hi Don,

    Thanks for pointing that out about not running things from the Pull Server. I have to admit that while testing, I've been logged onto the Pull Server doing all operations.

    I was uncertain about the point of using certificate to encrypt LCM meta. Thanks for clearing that up.

    Brgs

    Bjørn

You must be logged in to reply to this topic.