All, I am having issues accessing pull server over SSL port. HTTP works fine. Public SSL certificate is being used. I can browse to the pull server URL without any certificate errors or warnings.
Registration of the Dsc Agent with the server https://xxxx.xxxx.com:8080/PSDSCPullserver.svc failed. The underlying error is: Failed to
register Dsc Agent with AgentId 9BBDFD2F-A215-11E6-80E2-005056996E1C with the server
https://xxxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId='9BBDFD2F-A215-11E6-80E2-005056996E1C'). .
+ CategoryInfo : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : RegisterDscAgentCommandFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
+ PSComputerName : localhost
Hi Don, yes I do delete the pull server database when I rebuild the site. There are no SSL errors that I see in a browser. But I’ve just checked IIS logs and it does not appear that requests are being logged when DSC tries to connect to server.
Client protocol version is invalid. Request header should contain ProtocolVersion {0}.
Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.
Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.
System.ArgumentException
My guess now that it could be UseSecurityBestPractices=$true and client and server ciphers don’t match up.
then I no longer have issues when building a new pull server. Unfortunately setting UseSecurityBestPractices=$false or applying a config with DisableSecurityBestpractices won’t undo the previous registry settings for an existing pull server. To fix an existing pull server where UseSecurityBestPractices=$true was run go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
and delete any keys you don’t want (you can compare with a clean server build but basically deleting anything with TLS in the name fixed the issue for me and they weren’t there before applying the config with UseSecurityBestPractices=$true). I haven’t narrowed it down yet to see which registry settings out of the TLS ones were causing the problem but it does take a reboot after deleting those keys for it to take effect.
Found the problem as far as I can tell after a lot head scratching.
It seems that when the TLS keys are created in the registry by using the security best practices it doesn’t include the TLS 1.1 and/or TLS 1.2 Client regkeys, only the Server regkeys.
This is kind of weird, did a revert of the snapshots (before any DSC was installed) of my VM’s.
Redid the whole setup and now there was no problem running the registration.
The above regkey worked when I had the issue but now I’m not sure why there was a problem in the first place.
Even removing the key afterwards didn’t cause it to break, really weird.
, also went to the registry and created the value [TLSX.X/Client]“Enabled”=dword:00000001 under all TLS keys (as Frederik Kacsmarck states) and rebooted. Did not work. Afterwards, I deleted the TLSX.X keys from the registry (as Jeff suggests), rebooted and did not work neither.
The message when setting the LCM on a node stills the same:
Error registering the DSC agent with the server https://vmdt01.dggh.es:8080/PSDSCPullServer.svc. The inner erros is: Could not register DSC Agent with AgentId
09AC59BC-90C1-11E8-A14F-000C296AF402 with the server https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Nodes(AgentId='09AC59BC-90C1-11E8-A14F-000C296AF402')..