DSC Pull Server Deploy Errors - xDscWebServiceRegistration

edmundd · November 26, 2016, 11:00pm

Hello, I created a test lab DSC Pull server using ‘The DSC Book’ / 3.0 OK
However now am wanting to configure a newer release/use https

So, configured a vanilla VM,
Patched, Windows Server 2012 R2 standard
Domain joined, admin rights, uac disable
Installed WMF 5.0
xPSDesiredStateConfiguration 5.0
Generated self signed cert using script: https://gallery.technet.microsoft.com/scriptcenter/self-signed-certificate-5920a7c6
Configured ‘pullserver’ MOF using msdn guide: https://msdn.microsoft.com/en-us/powershell/dsc/pullserver (+Also tried using the example config in the module itself)

When i set the config/install i get 3 lines of errors below,
on 2nd re-run no errors but the website is inaccessible: HTTP 503 Service Unavailable, both the pull site and the default site.

Fixing Attempts:
Rebuilt server same issue
Getting same problem with 4.0 xPSDesiredStateConfiguration
Installing IIS and DSC roles prior to mof deploy
Trawling google/forums but haven’t been able to solve whats going on…
Turned on debug logging: wevtutil.exe set-log “Microsoft-Windows-Dsc/Analytic” /q:true /e:true
Errors:
Failed attempt number 1 : Couldn’t delete file C:\Windows\System32\Configuration\DSCEngineCache.mof . The error code is 2. The error message is: The system cannot find the file specified.
Have deleted these files from the configuration dir (with no luck), another post this worked for someone

Having now spent 2 days trying to work this out, now I am reaching out, am i missing something simple?
Any help muchly appreciated!

 
# =================================== Section Pull Server =================================== #
$certificateThumbPrint = 'E957004B8D17ACDE83A15831731CF32DA6F2ED2A'
$RegistrationKey = 'f25ed3f5-adba-4e50-a334-e8b4d094f668'
configuration Sample_xDscWebServiceRegistration
{
    param 
    (
        [string[]]$NodeName = 'localhost',

        [ValidateNotNullOrEmpty()]
        [string] $certificateThumbPrint,

        [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
        [ValidateNotNullOrEmpty()]
        [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
    )

    Import-DSCResource -ModuleName xPSDesiredStateConfiguration
    Import-DSCResource -ModuleName PSDesiredStateConfiguration

    Node $NodeName
    {
        WindowsFeature DSCServiceFeature
        {
            Ensure = "Present"
            Name   = "DSC-Service"            
        }

        xDscWebService PSDSCPullServer
        {
            Ensure                  = "Present"
            EndpointName            = "PSDSCPullServer"
            Port                    = 8080
            PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer"
            CertificateThumbPrint   = $certificateThumbPrint
            ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
            ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"            
            State                   = "Started"
            DependsOn               = "[WindowsFeature]DSCServiceFeature" 
            RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"   
            AcceptSelfSignedCertificates = $true
            UseSecurityBestPractices = $false
        }

        File RegistrationKeyFile
        {
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey
        }
    }
}

Sample_xDscWebServiceRegistration -NodeName 'PULL.ed.local' -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint


    Directory: C:\temp\Sample_xDscWebServiceRegistration


Mode                LastWriteTime         Length Name                                                                                                               
----                -------------         ------ ----                                                                                                               
-a----       11/27/2016   4:48 PM           4680 PULL.ed.local.mof                                                                                                  



PS C:\temp> Start-DscConfiguration -Path C:\temp\Sample_xDscWebServiceRegistration -Wait -Verbose -Force

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'name
spaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PULL with user sid S-1-5-21-859306304-1798028966-4293564394-1001.
VERBOSE: [PULL]: LCM:  [ Start  Set      ]
VERBOSE: [PULL]: LCM:  [ Start  Resource ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [PULL]: LCM:  [ Start  Test     ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' started: DSC-Service
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' succeeded: DSC-Service
VERBOSE: [PULL]: LCM:  [ End    Test     ]  [[WindowsFeature]DSCServiceFeature]  in 0.9380 seconds.
VERBOSE: [PULL]: LCM:  [ Start  Set      ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Installation started...
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Continue with installation?
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing started...
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Prerequisite processing succeeded.
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Installation succeeded.
VERBOSE: [PULL]:                            [[WindowsFeature]DSCServiceFeature] Successfully installed the feature DSC-Service.
VERBOSE: [PULL]: LCM:  [ End    Set      ]  [[WindowsFeature]DSCServiceFeature]  in 35.9670 seconds.
VERBOSE: [PULL]: LCM:  [ End    Resource ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [PULL]: LCM:  [ Start  Resource ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [PULL]: LCM:  [ Start  Test     ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Check Ensure
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] The Website PSDSCPullServer is not present
VERBOSE: [PULL]: LCM:  [ End    Test     ]  [[xDSCWebService]PSDSCPullServer]  in 2.8880 seconds.
VERBOSE: [PULL]: LCM:  [ Start  Set      ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Create the IIS endpoint
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Setting up endpoint at - https://PULL:8080/PSDSCPullServer.svc
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\M
Y\
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Checking IIS requirements
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Delete the App Pool if it exists
VERBOSE: [PULL]:                            [[xDSCWebService]PSDSCPullServer] Remove the site if it already exists
A specified logon session does not exist. It may already have been terminated
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.NewItemCommand
    + PSComputerName        : PULL.ed.local
 
VERBOSE: [PULL]: LCM:  [ End    Set      ]  [[xDSCWebService]PSDSCPullServer]  in 1.7960 seconds.
The PowerShell DSC resource '[xDSCWebService]PSDSCPullServer' with SourceInfo '::31::9::xDscWebService' threw one or more non-terminating errors while running the 
Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : PULL.ed.local
 
VERBOSE: [PULL]: LCM:  [ Start  Resource ]  [[File]RegistrationKeyFile]
VERBOSE: [PULL]: LCM:  [ Start  Test     ]  [[File]RegistrationKeyFile]
VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The system cannot find the file specified.
VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The related file/directory is: C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys
.txt.
VERBOSE: [PULL]: LCM:  [ End    Test     ]  [[File]RegistrationKeyFile]  in 0.0150 seconds.
VERBOSE: [PULL]: LCM:  [ Start  Set      ]  [[File]RegistrationKeyFile]
VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The system cannot find the file specified.
VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The related file/directory is: C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys
.txt.
VERBOSE: [PULL]: LCM:  [ End    Set      ]  [[File]RegistrationKeyFile]  in 0.0000 seconds.
VERBOSE: [PULL]: LCM:  [ End    Resource ]  [[File]RegistrationKeyFile]
VERBOSE: [PULL]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : PULL.ed.local
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 47.73 seconds

donj · November 27, 2016, 12:06am

May I ask why you’re using a self signed certificate, which would be useless to clients?

edmundd · November 27, 2016, 12:19am

Hi Don,
Its for a test environment lab (was planning to have this cert ‘trusted root’ on the clients).
I dont have any CA cert’s i can use. Is this likely part of the problem? I guess i can buy one.

Test:
Did some tests with my selfsigned cert, added to the IIS ‘default site’, then import cert to client trusted root, this failed, still get cert warning on browsing, as you pointed out.
I’ve always been a bit stand-offish when it comes to certificates and that jazz, ill look into setting up a CA in my domain and issue a certificate that way, give this another go tomorrow.

donj · November 27, 2016, 9:22am

It’d be far better to spin up a CA; the problem is that a self-signed certificate is only trusted by the machine that created it. It can’t be readily used to create an HTTPS channel in a pull server, because none of the nodes contacting the pull server are going to trust the certificate. You do need a proper SSL certificate.

You do also have some setup problems.

VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The system cannot find the file specified.
VERBOSE: [PULL]:                            [[File]RegistrationKeyFile] The related file/directory is: C:\Program Files\WindowsPowerShell\DscService\RegistrationKeys

Is telling you that the pull server is missing its registration key file, which is required. Because this is happening during pull server setup, I’d surmise that it’s unable to create the file you specified. You also have a conflict:

        RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"

and

        DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"

You’re setting up the file in one place, but telling pull server to find it in another place.

You also appear to not have the correct certificate installed in the correct location:

VERBOSE: [PULL]: [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\

Pull server isn’t able to find the certificate thumbprint you specified in the machine repository. Possibly you installed it in the wrong certificate store, or you provided the wrong thumbprint for it.

edmundd · November 27, 2016, 9:02pm

Cheers Don, appreciate you taking the time to help out.

I setup a CA, issued a certificate, left all other settings the same and looks OK!
No red errors, https site access OK (from other clients too )

So it all came down to the certificate i was attempting to use.
It referenced the correct thumbprint and was in the correct store, but something else was definitely wrong with it.

formica · November 8, 2017, 1:15pm

Hi Ed,

I am having a very similar problem, so I’m hoping you still read these forums and see this!

How did you issue your certificate for your Pull Server, and how did you then import it on your Pull Server? I keep thinking I am doing it correctly but I get the same “specified logon” error you do

Thanks,

Formica

edmundd · November 8, 2017, 10:05pm

Hiya

Sure do.
Make sure you use a cert trusted on the domain, not self signed certs. I did this by setting up the CA role on one of my servers.
Then start the config from scratch with the new ca cert.

Cheers
Ed

Topic		Replies	Views
DSC Https Pull Server - An error occurred while sending the request DSC	12	235	September 25, 2018
Setting up a DSC pull client help needed DSC	1	189	August 29, 2017
Pull server woes (pullserver.svc does not exist) DSC	1	159	September 7, 2014
errors with HTTPS Pull server DSC	3	196	June 7, 2017
Https Pull Server Issues DSC	7	187	August 29, 2016

DSC Pull Server Deploy Errors - xDscWebServiceRegistration

Hi Don, Its for a test environment lab (was planning to have this cert ‘trusted root’ on the clients). I dont have any CA cert’s i can use. Is this likely part of the problem? I guess i can buy one.

Related Topics

Hi Don,
Its for a test environment lab (was planning to have this cert ‘trusted root’ on the clients).
I dont have any CA cert’s i can use. Is this likely part of the problem? I guess i can buy one.