DSC Https Pull Server - An error occurred while sending the request

Hello,
I’ve been struggling two weeks with the DSC Pull Server configuration. I had no success configuring an http/https pull server neither with ConfigurationId approach nor using ConfigurationNames
Smb Pull server was the only server configuration that worked for me, but I aspire to https.
I’ve ruled out some common mistakes I’ve read in other powershell.org posts, documentation and forums:

  • Checking Remoting is enabled
  • Avoid using self-signed certificates. (I used IIS Management Console and a Root CA certificate to issue an appropriate server certificate)
  • Check Windows Management Framework (WFM) versions for node-server incompatibilities
  • Checking .Net Framework 4.5.2 or above is installed on Server 2012 for WMF 5.1 to work well.
  • Verify Web Service either using Verify-DSCPullServer function or pasting url https://[pullserver]:8080/PSDSCPullServer.svc in the browser, then checking there aren't SSL warnings and certificate is valid
The following are the machine's configurations for my server and nodes: Server 2012 + WMF 5.1 Name Value —- —– PSVersion 5.1.14409.1012 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.14409.1012 CLRVersion 4.0.30319.36440 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1

Client Windows 10 Pro 1709
Name Value
—- —–
PSVersion 5.1.16299.547
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
BuildVersion 10.0.16299.547
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Configuration Id Approach

  1. Server Configuration I'm using xPSDesiredConfiguration 8.4.0.0 and xDscWebService Resource to configure the Server, this way
    configuration HTTPSPullServer
    {
    
    param
    (
        [string[]]$NodeName = 'localhost',
    
        [ValidateNotNullOrEmpty()]
        [string] $certificateThumbPrint
    )
    
    # Modules must exist on target pull server
    Import-DSCResource -ModuleName xPSDesiredStateConfiguration
    
    Node $NodeName
    {
        WindowsFeature DSCServiceFeature
        {
            Ensure = "Present"
            Name   = "DSC-Service"
        }
    
        #IIS Console
        WindowsFeature IISConsole {
            Ensure = "Present"
            Name   = "Web-Mgmt-Console"
        }
    
        xDscWebService PSDSCPullServer
        {
            Ensure                  = "Present"
            EndpointName            = "PSDSCPullServer"
            Port                    = 8080
            PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
            CertificateThumbPrint   = $certificateThumbPrint
            ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
            ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
            State                   = "Started"
            DependsOn               = "[WindowsFeature]DSCServiceFeature"
            UseSecurityBestPractices = $true
        }
    }
    

    }

    HTTPSPullServer -NodeName vmdt01 -certificateThumbPrint ‘712FCD316ED524F785186DD144DD445A47CB66A5’ -OutputPath E:\DSC\HTTPS\

    Start-DscConfiguration -ComputerName vmdt01 -Path E:\DSC\HTTPS -Verbose -Wait -Force


    (I’ve tried different combination on UseSecurityBestPractices and DisableSecurityBestPractices properties without success)


  2. Clients LCM Configuration (Using ConfigurationId approach)

    [DSCLocalConfigurationManager()]
    Configuration PullW10ClientsConfigId 
    {
       param
        (
                [Parameter(Mandatory=$true)]
                [string[]]$ComputerName,
    
                [Parameter(Mandatory=$true)]
                [string]$guid
        )
    
    	Node $ComputerName {
    	
    		Settings {
    
    			RefreshMode = 'Pull'
    		        RefreshFrequencyMins = 30
                            ConfigurationMode = 'ApplyAndAutoCorrect'
                            RebootNodeIfNeeded = $true
    			ConfigurationID = $guid
            }
    
                ConfigurationRepositoryWeb DSCHTTPS {
                    ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                    CertificateID = '712FCD316ED524F785186DD144DD445A47CB66A5'
                }
    
                ReportServerWeb ReportServer {
                    ServerURL = 'https://vmdt01.dggh.es:8080/PSDSCPullServer.svc'
                    CertificateID = '712FCD316ED524F785186DD144DD445A47CB66A5'
                    AllowUnsecureConnection = $True
    
                }
    
    	}
    }
  3. Rename MOF files to match configurationId and apply
    New-DSCChecsum
  4. When I try to do
    Update-StartDscConfiguration -Computer vcontab1-w10 -Wait -Verbose
    I get the following errors and stack trace on the event viewer: Trabajo {B3C00709-9C7A-11E8-ACE3-000C2991FEC5}: Comando Do-DscAction de WebDownloadManager para configuración e2665f67-3a61-4989-9870-616a065298d6, resultado de llamada GET: + FullyQualifiedErrorId : WebDownloadManagerGetActionFailed + CategoryInfo : InvalidResult: (:) [], InvalidOperationException + ExceptionMessage : No se pudo obtener la acción del servidor https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Action(ConfigurationId='e2665f67-3a61-4989-9870-616a065298d6')/GetAction. + InnerException : System.AggregateException: Se han producido uno o varios errores. ---> System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna --- --- Fin del seguimiento de la pila de la excepción interna --- en System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) en Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(IHttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord) ---> (Nº de excepción interna 0) System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna ---<---

    Where error in English are:

    System.Net.Http.HttpRequestException: An error occurred while sending the request
    System.Net.WebException: The underlying connection was closed: unexpected error
    System.IO.IOException: Cannot write data to the transport connection: The remote host forced the interruption of an exixting connection

Whilst if I use Configuration Names approach I get the error earlier, during the node registration.

Configuration Name Approach

  1. Server Configuration
    configuration HTTPSPullServer
    {
        param
        (
            [string[]]$NodeName = 'localhost',
    
        [ValidateNotNullOrEmpty()]
        [string] $certificateThumbPrint,
    
        [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
        [ValidateNotNullOrEmpty()]
        [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
    )
    
    # Modules must exist on target pull server
    Import-DSCResource -ModuleName xPSDesiredStateConfiguration
    
    Node $NodeName
    {
        WindowsFeature DSCServiceFeature
        {
            Ensure = "Present"
            Name   = "DSC-Service"
        }
    
        #Consola de IIS
        WindowsFeature IISConsole {
            Ensure = "Present"
            Name   = "Web-Mgmt-Console"
            DependsOn = '[File]RegistrationKeyFile'
        }
    
        xDscWebService PSDSCPullServer
        {
            Ensure                  = "Present"
            EndpointName            = "PSDSCPullServer"
            Port                    = 8080
            PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
            CertificateThumbPrint   = $certificateThumbPrint
            ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
            ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
            RegistrationKeyPath      = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
            State                   = "Started"
            DependsOn               = "[WindowsFeature]DSCServiceFeature"
            UseSecurityBestPractices = $true          
        }
    
        File RegistrationKeyFile
        {
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey
        }
    }
    

    }

    Generate MOF

    HTTPSPullServer -NodeName vmdt01 -certificateThumbPrint ‘9F00EDBDFB791C7AAD9200E9E0BA8FD59684B419’ -RegistrationKey ‘e2665f67-3a61-4989-9870-616a065298d6’ -OutputPath E:\DSC\HTTPS\

    Start-DscConfiguration -ComputerName vmdt01 -Path E:\DSC\HTTPS -Verbose -Wait -Force

  2. Client LCM (Configuration Name Approach)
    [DSCLocalConfigurationManager()]
    Configuration PullW10ClientsConfigNames 
    {
       param
        (
            [ValidateNotNullOrEmpty()]
            [string] $NodeName = 'localhost',
    
        [ValidateNotNullOrEmpty()]
        [string] $RegistrationKey #same as the one used to setup pull server in previous configuration
    
    )
    Node $NodeName {
    
    	Settings {
    
    		RefreshMode = 'Pull'
    	        RefreshFrequencyMins = 30
                        ConfigurationMode = 'ApplyAndAutoCorrect'
                        RebootNodeIfNeeded = $true
        }
            
            ConfigurationRepositoryWeb DSCHTTPS {
                ServerURL = '<a href="https://vmdt01.dggh.es:8080/PSDSCPullServer.svc" target="_blank" rel="noopener">https://vmdt01.dggh.es:8080/PSDSCPullServer.svc</a>'
                RegistrationKey = $RegistrationKey
                ConfigurationNames = @('w10client')
                AllowUnsecureConnection = $true
            }
    
            ReportServerWeb ReportServer {
                ServerURL = '<a href="https://vmdt01.dggh.es:8080/PSDSCPullServer.svc" target="_blank" rel="noopener">https://vmdt01.dggh.es:8080/PSDSCPullServer.svc</a>'
                CertificateID = '712FCD316ED524F785186DD144DD445A47CB66A5'
                AllowUnsecureConnection = $True
            }
    }
    

    }

    Create the Computer.Meta.Mof in folder

    PullW10ClientsConfigNames -NodeName vcontab1-w10 -RegistrationKey ‘e2665f67-3a61-4989-9870-616a065298d6’ -OutputPath E:\DSC\HTTPS

    Set-DscLocalConfigurationManager -ComputerName vcontab1-w10 -Path E:\DSC\HTTPS -Verbose


    At this point, I get an error saying the DSC Agent with an specific AgentId could not be registered on the server.

    Here’s the event log throwing the same errors than in the ConfigurationId approach

    Trabajo {0EE9AD70-9C80-11E8-ACE3-000C2991FEC5} : el cliente HTTP 3A1CC07C-9BC1-11E8-ACE3-000C2991FEC5 no pudo registrar el agente de Dsc: + FullyQualifiedErrorId : RegisterDscAgentCommandFailed + CategoryInfo : InvalidResult: (:) [], InvalidOperationException + ExceptionMessage : No se pudo registrar el agente de Dsc con AgentId 3A1CC07C-9BC1-11E8-ACE3-000C2991FEC5 con el servidor https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Nodes(AgentId='3A1CC07C-9BC1-11E8-ACE3-000C2991FEC5'). + InnerException : System.AggregateException: Se han producido uno o varios errores. ---> System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna --- --- Fin del seguimiento de la pila de la excepción interna --- en System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) en Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand.IssueRequest(DotNetHttpClient client, String subLink, ErrorRecord& errorRecord) ---> (Nº de excepción interna 0) System.Net.Http.HttpRequestException: Error al enviar la solicitud. ---> System.Net.WebException: Se ha terminado la conexión: Error inesperado de envío. ---> System.IO.IOException: No se puede escribir datos de en la conexión de transporte: Se ha forzado la interrupción de una conexión existente por el host remoto. ---> System.Net.Sockets.SocketException: Se ha forzado la interrupción de una conexión existente por el host remoto en System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) en System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) en System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna --- en System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) en System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- Fin del seguimiento de la pila de la excepción interna ---<---
May somebody in the Powershell Community or the DevOps Collective Inc. give me a hint of where could be the matter? Is there an issue with the security protocols? Might be something related to Server 2012 OS, which was the first version that supported DSC? I'm lost here.

Use Wireshark on the client to monitor the negotiation of the session. The errors look to me like they could be due to TLS negotiation errors. e.g. the server is expecting TLS 1.2 or higher and the client is requesting 1.0 or lower.

I’ve not done a lot with DSC but I’m seeing a few .NET applications failing to connect to some servers now. Fixing it usually involves updating either the client software (which has been built using a later version of .NET framework) or upgrading the .NET framework itself.

Googling some articles on PowerShell and TLS it looks like it may default to TLS 1.0.

On my fully patched Windows 10 an Invoke-WebRequest to PowerShell.org fails. Wireshark shows it attempts to use TLS 1.0:

TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 113
Handshake Protocol: Client Hello

This is immediately follow by the site sending a RST, closing the connection.

You can force PowerShell use to a newer version with

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The Invoke-WebRequest to PowerShell.org then succeeds:

TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 197
Handshake Protocol: Client Hello

TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 89
Handshake Protocol: Server Hello

I assume setting SecurityProtocol type will be honoured by DSC but I don’t have a set up to test it on.

 

 

 

 

 

 

 

 

 

 

 

Hello Matt,

thank you for your answer.

I used WireShark when trying to register a node client from the server and it seems to be an issue with the decryption on the client side. The only TLS1.2 traffic I see is due to an rdp connection.

You can get traffic WireShark Logs (to be deleted) and filter them by ‘http and tcp.port==5985’

Let me point anyway some outstanding info:

The request in order to registrate the node is sended using WinRM, which is HTTP over port 5985 to an ODATA service. The request

POST http://[node]:5985/wsman

includes some security encrypted information:

>GSS-API Generic Security Service Application Program Interface

OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)

>Authenticator

etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)

cipher: 31f873aa4a7057309dcf46fdf2cf56ebceef6b11d51e22c6...

Then, the response says:

>MIME Multipart Media Encapsulation, Type: multipart/encrypted, Boundary: "Encrypted Bundary"

The multipart dissector could not decrypt the message

Is that due to the protocol version or the decryption algorithm?

 

With regard to TLS, I tried before to configure protocols on the client and the server, and make them coherent. Changing [Net.ServicePointManager]::SecurityProtocol is fine to do some checkings, but it’s not a defintive solution because the value gets reseted when you exit the shell.

You have to modify some registry settings to enable or disable protocols.
There’s some Microsoft Documentation about TLS registry settings, but I find delicated changing this values.

In this post, there’s an explanation of how to force a specific protocol to be used in Powershell. Thre’s even a link to an application that does it for you. Nevertheless, I can’t get it working.

I’ll keep trying some more configs and asking for help.

Regards

Thanks for the capture. The WinRM traffic looks OK.

You can see from the capture that the client tries to establish the connection on port 8080 but that the server is sending a RST. No HTTPS negotiation is taking place.

Can you run a new capture with AllowUnsecureConnection set to $false, just for comparison.

My inclination would then be to go back to basics. Configure your pull server, a new one if necessary, with HTTP only and get that working.

 

Hello again,

I could get it running with non-secure http!

At first, I got an Internal Server Error, and with WireShark I could trace the error:

Provider 'Microsoft.Jet.OLEDB.4.0' not registred on the local machine.
I read that version of the driver is not compatible with my 64bits S.O, so I installed Microsoft Acces Database Engine 2016, and changed the connection string setting for the driver to version = Microsoft.ACE.OLEDB.12.0

In fact, I used xWebConfigKeyValue DSC resource of xWebAdministration module to configure it this way:

xWebConfigKeyValue CorrectDBConnectionStr
{
    ConfigSection = 'AppSettings'
    Key = 'dbconnectionstr'
    Value = 'Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Program Files\WindowsPowerShell\DscService\Devices.mdb;'
    WebsitePath = 'IIS:\sites\PSDSCPullServer'
    DependsOn = '[xDSCWebService]PSDSCPullServer'
}

Finally, I could make it run on a basic http configuration

I was hoping the driver update fixed the thing for https as well, but, unfortunately, I’m still having the same problems. I let you two more captures from a client (when trying to be registered to the pull server), one using http, which succeds, and another using https, which fails.

I wonder if there’s something wrong with the certificate I generated that might be causing this. But I can’t figure out what could that be. I generated a server certificate from IIS Management Console using our own Certification Authority (CA). The result is a valid certificate and I ensured the involved nodes do trust the CA.

The only thing I find strange, is that when I request through a browser the URL for the secured pull server (https://vmdt01.dggh.es:8080/PSDSCPullServer.svc) I’m prompted to choose a certificate in my machine to identify myself. That’s not a normal ssl secured web behaviour.

Thank you for your help so far

Apologies, I was out last night so didn’t get a chance to pick up the captures. Glad HTTP is working.

Still not seeing any attempt at TLS negotiation in the captures. Can you check if the certificate is definitely bound to port 8080 in the IIS settings?

If I get time over the weekend (it’s a long weekend in the UK, yay!) I’ll spin up a lab and see if I can recreate your scenario.

 

 

 

 

Can you export the pull server certificate (without private key) and copy to a node…

then run:

certutil -verify -urlfetch certificatename.cer

and paste the output here?

Thanks,

Mike

Hello Mike,

here there is, with some interleaved Spanish lines :slight_smile:

Emisor:

CN=Gargallo Hotels CA

DC=dggh

DC=es

Hash de nombre(sha1): 375d1731ce1ecba03d452db3a0646728be014ea1

Hash de nombre(md5): e47f7178037ccb030a34b05c099e6036

Sujeto:

CN=vmdt01.dggh.es

OU=IT

O=Gargallo Hotels S.L

L=Barcelona

S=Barcelona

C=ES

Hash de nombre(sha1): 94be95ba23a62d5afa60aa3acb3d4e33666284f9

Hash de nombre(md5): dda648e4360045c04e84a650ae756007

Nº. de serie de cert.: 610ed1df000000000005

 

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)

HCCE_LOCAL_MACHINE

CERT_CHAIN_POLICY_BASE

-------- CERT_CHAIN_CONTEXT --------

ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

ChainContext.dwRevocationFreshnessTime: 56 Minutes, 11 Seconds

 

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwRevocationFreshnessTime: 56 Minutes, 11 Seconds

 

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0

Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es

NotBefore: 25/07/2018 14:16

NotAfter: 24/07/2020 14:16

Subject: CN=vmdt01.dggh.es, OU=IT, O=Gargallo Hotels S.L, L=Barcelona, S=Barcelona, C=ES

Serial: 610ed1df000000000005

Template: WebServer

Cert: 9f00edbdfb791c7aad9200e9e0ba8fd59684b419

Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)

Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

----------------  Certificado AIA  ----------------

Comprobado "Certificado (0)" Tiempo: 0 a48d41b6cfa9d976f43a9fb62a96d82a62a22841

[0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?cACertificate?base?objectClass=certificationAuthority

 

----------------  Certificado CDP  ----------------

Comprobado "CRL de base (1d)" Tiempo: 0 af43afa887be98a9f3d3cfc4918e859cb39eda12

[0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=vmdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?certificateRevocationList?base?objectClass=cRLDistributionPoint

 

Comprobado "Diferencia CRL (1d)" Tiempo: 0 bf180198e6408a713e46ce1edc350f3a2ce55ddd

[0.0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=vmdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?deltaRevocationList?base?objectClass=cRLDistributionPoint

 

----------------  CDP de CRL base  ----------------

Aceptar "Diferencia CRL (1f)" Tiempo: 0 bf180198e6408a713e46ce1edc350f3a2ce55ddd

[0.0] ldap:///CN=Gargallo%20Hotels%20CA,CN=vmdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dggh,DC=es?deltaRevocationList?base?objectClass=cRLDistributionPoint

 

----------------  OCSP de certificado  ----------------

No hay direcciones URL "Ninguno" Tiempo: 0 (null)

--------------------------------

CRL 1d:

Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es

ThisUpdate: 22/08/2018 13:56

NextUpdate: 30/08/2018 2:16

CRL: af43afa887be98a9f3d3cfc4918e859cb39eda12

Delta CRL 1f:

Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es

ThisUpdate: 24/08/2018 13:57

NextUpdate: 26/08/2018 2:17

CRL: bf180198e6408a713e46ce1edc350f3a2ce55ddd

Application[0] = 1.3.6.1.5.5.7.3.1 Autenticación del servidor

 

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0

Issuer: CN=Gargallo Hotels CA, DC=dggh, DC=es

NotBefore: 25/07/2018 13:56

NotAfter: 25/07/2028 14:06

Subject: CN=Gargallo Hotels CA, DC=dggh, DC=es

Serial: 3d0d0c6df8f52a8744157cf4abfc3d02

Template: CA

Cert: a48d41b6cfa9d976f43a9fb62a96d82a62a22841

Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)

Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)

Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

----------------  Certificado AIA  ----------------

No hay direcciones URL "Ninguno" Tiempo: 0 (null)

----------------  Certificado CDP  ----------------

No hay direcciones URL "Ninguno" Tiempo: 0 (null)

----------------  OCSP de certificado  ----------------

No hay direcciones URL "Ninguno" Tiempo: 0 (null)

--------------------------------

 

Exclude leaf cert:

Chain: 4fc5415621fc8b5c8a8fc732d40a314ed82b6fc5

Full chain:

Chain: 1e4897352b42447faa4777cb768b6be52612121b

------------------------------------

Directivas de emisión comprobadas: Ninguno

Directivas de aplicación comprobadas:

1.3.6.1.5.5.7.3.1 Autenticación del servidor

La comprobación de revocación del certificado de hoja ha sido correcta

Don’t worry Matt, I’ll be one week off too and resume afterwards.

For the moment, I’m happy it worked on http. I also downgraded Microsoft Acces Database Engine to 2012, since I was experiencing some errors causing the application pool for pull server service to stop.

I achieved some progress securing mof files and using partial configuration. The final touch will be securing communications.

By the way, the certificate is bound to port 8080 on IIS settings.

I did manage to build a lab for this, this week, a bit later than planned.

Although I had a few problems (due to my inexperience with DSC), I couldn’t replicate your error.

My lab consisted of a Domain Controller, also acting as my root CA; a DSC pull server running Windows 2012 R2, fully patched and with WMF 5.1 installed and a Windows 10 Pro client (1803).

I used the configuration ID approach as in your first example and used your script to configure my pull server.

I created a slightly different configuration file and, following examples online, used the following command to set up the LCM:

Set-DSCLocalConfigurationManager localhost -Path .\PullW10ClientsConfigNames\ -Verbose

 

Hello Matt,

I’m back. Thank your for your time trying to reproduce the error.

There are some slightly differences between our environments. I run a Server 2012 (not the Released 2) but I remember trying in a R2 as well to rule out whether the problem was the S.O version with no results.

And the client build also differs (1803 vs 1709). I’ll update my W10 and tell you.

Did you have to deal with changing TLS protocoll on the client?

For now I’m working with unsecured communications but secure credentials inmof documents. I’ll let the secure-communication step in stand-by and resume it later. I’ll let you know any progress.

Regards

I couldn’t see any issues with the certutil output sorry

Is the root cert from your CA on the node attempting to pull down the config via HTTPS?

You should be able to open https://vmdt01.dggh.es:8080/PSDSCPullServer.svc with no problems.