DSC Pull Server with SSL - unable to register

All, I am having issues accessing pull server over SSL port. HTTP works fine. Public SSL certificate is being used. I can browse to the pull server URL without any certificate errors or warnings.

The following configuration works:

configuration Sample_xDscPullServer
{ 
    param  
    ( 
            [string[]]$NodeName = 'localhost', 

            [ValidateNotNullOrEmpty()] 
            [string] $certificateThumbPrint
     ) 


     Import-DSCResource -ModuleName xPSDesiredStateConfiguration
     Import-DSCResource –ModuleName PSDesiredStateConfiguration

     Node $NodeName 
     { 
         WindowsFeature DSCServiceFeature 
         { 
             Ensure = 'Present'
             Name   = 'DSC-Service'             
         } 

         xDscWebService PSDSCPullServer 
         { 
             Ensure                   = 'Present' 
             EndpointName             = 'PSDSCPullServer' 
             Port                     = 8080 
             PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
             CertificateThumbPrint    = 'AllowUnencryptedTraffic'          
             ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
             ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
             State                    = 'Started'
             DependsOn                = '[WindowsFeature]DSCServiceFeature'     
             UseSecurityBestPractices = $true
         }        
    }
}

This one does not:

configuration Sample_xDscPullServer
{ 
    param  
    ( 
            [string[]]$NodeName = 'localhost', 

            [ValidateNotNullOrEmpty()] 
            [string] $certificateThumbPrint
     ) 


     Import-DSCResource -ModuleName xPSDesiredStateConfiguration
     Import-DSCResource –ModuleName PSDesiredStateConfiguration

     Node $NodeName 
     { 
         WindowsFeature DSCServiceFeature 
         { 
             Ensure = 'Present'
             Name   = 'DSC-Service'             
         } 

         xDscWebService PSDSCPullServer 
         { 
             Ensure                   = 'Present' 
             EndpointName             = 'PSDSCPullServer' 
             Port                     = 8080 
             PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
             CertificateThumbPrint    = $certificateThumbPrint          
             ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
             ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
             State                    = 'Started'
             DependsOn                = '[WindowsFeature]DSCServiceFeature'     
             UseSecurityBestPractices = $true
         }        
    }
}

I get the following error:

Registration of the Dsc Agent with the server https://xxxx.xxxx.com:8080/PSDSCPullserver.svc failed. The underlying error is: Failed to 
register Dsc Agent with AgentId 9BBDFD2F-A215-11E6-80E2-005056996E1C with the server 
https://xxxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId='9BBDFD2F-A215-11E6-80E2-005056996E1C'). .
    + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : RegisterDscAgentCommandFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    + PSComputerName        : localhost

Did anyone run into this issue before?

To double-check a couple of things…

Did you delete the pull server database between tries, to ensure you had a fresh start each time?

You’ve definitely been able to browse to the HTTPS address without error? What URL are you using to do that?

Hi Don, yes I do delete the pull server database when I rebuild the site. There are no SSL errors that I see in a browser. But I’ve just checked IIS logs and it does not appear that requests are being logged when DSC tries to connect to server.

I test with https://xxx.xxxx.com//PSDSCPullserver.svc and get the following

Default

Configurations


Modules


Action


Module


StatusReport


Node


Reports


Nodes

or copy url from the error https://xxx.xxxx.com:8080/PSDSCPullserver.svc/Nodes(AgentId=‘9BBDFD2F-A215-11E6-80E2-005056996E1C’)

Client protocol version is invalid. Request header should contain ProtocolVersion {0}.


Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.



Client protocol version is invalid. Request header should contain ProtocolVersion 2.0.

System.ArgumentException

My guess now that it could be UseSecurityBestPractices=$true and client and server ciphers don’t match up.

Indeed I have found this issue to be due to as you suspect UseSecurityBestPractices=$true.
If I use the following property:

DisableSecurityBestPractices ='SecureTLSProtocols' 

then I no longer have issues when building a new pull server. Unfortunately setting UseSecurityBestPractices=$false or applying a config with DisableSecurityBestpractices won’t undo the previous registry settings for an existing pull server. To fix an existing pull server where UseSecurityBestPractices=$true was run go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
and delete any keys you don’t want (you can compare with a clean server build but basically deleting anything with TLS in the name fixed the issue for me and they weren’t there before applying the config with UseSecurityBestPractices=$true). I haven’t narrowed it down yet to see which registry settings out of the TLS ones were causing the problem but it does take a reboot after deleting those keys for it to take effect.

Thanks Jeff, you were right disabling TLS fixed the issue! If I’ll have time I’ll dig into what specific protocol is failing and update the thread.

Thanks,
Eugene

One more note it does appear that UseSecurityBestPractices = $true is leaving something out of the config.

If I use best practices for securing SSL scripted in this link - https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12. The pull server works with TLS as well.

I will incorporate these settings in my pull server config.

Eugene

To bad I didn’t check this post yesterday

Found the problem as far as I can tell after a lot head scratching.
It seems that when the TLS keys are created in the registry by using the security best practices it doesn’t include the TLS 1.1 and/or TLS 1.2 Client regkeys, only the Server regkeys.

Added the following on the pull server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“Enabled”=dword:00000001

Seems to solve the registration problem in my test lab at least.

Update:

This is kind of weird, did a revert of the snapshots (before any DSC was installed) of my VM’s.
Redid the whole setup and now there was no problem running the registration.
The above regkey worked when I had the issue but now I’m not sure why there was a problem in the first place.
Even removing the key afterwards didn’t cause it to break, really weird.

There is a way to simulate this though.

If you type the following:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::ssl3

And then do a Invoke-Webrequest, you should get the same error as described earlier.
By using TLS, TLS11 or TLS12 instead of SSL3 it works.

Still having the problem I wonder because the node in questions have the below set?

    foreach($protocol in @("MD5","SHA")) {
       Registry "Disable Hash $protocol"
       {
          Ensure = "Present"
          Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$protocol"
          ValueName = "Enabled"
          ValueData = "ffffffff"
          Hex = $true
          ValueType = "Dword"
          }
}

    foreach($protocol in @("Diffie-Hellman","PKCS")) {
       Registry "Disable KeyExchangeAlgorithms $protocol"
       {
         Ensure = "Present"
         Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$protocol"
         ValueName = "Enabled"
         ValueData = "ffffffff"
         Hex = $true
         ValueType = "Dword"
        }
}

    Registry "Multi-Protocol Unifed Hello" {
          Ensure = "Present"
          Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello'
          ValueName = "Enabled"
          ValueData = "0"
          ValueType = "Dword"
         }

    Registry "PCT 1.0" {
           Ensure = "Present"
           Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server'
           ValueName = "Enabled"
           ValueData = "0"
           ValueType = "Dword"
          }

    Registry LocaleName {
       Ensure = "Present"
       Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
       ValueName = "LocaleName"
       ValueData = "en-GB"
       ValueType = "String"
       }

    Registry sCountry {
        Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
        ValueName = "sCountry"
        ValueData = "United Kingdom"
        ValueType = "String"
        }

    Registry sShortDate {
        Key = "HKEY_USERS\.DEFAULT\Control Panel\International"
        ValueName = "sShortDate"
        ValueData = "dd/MM/yyyy"
        ValueType = "String"
        }

    foreach($protocol in @("NULL","RC2 128/128","RC2 56/128","RC4 128/128","RC4 64/128","Triple DES 168","DES 56/56","RC2 40/128","RC4 40/128","RC4 56/128")) {
       xRegistry "Disable Cipher $protocol"
       {
         Ensure = "Present"
         Key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$protocol"
         ValueName = "Enabled"
         ValueData = "0" 
         ValueType = "Dword"
         }
}

    Registry Enable_IIS_Remote {

          Ensure = "Present"
          Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server'
          ValueName = "EnableRemoteManagement"
          ValueData = "1"
          ValueType = "Dword"


    }

Also my pull server config looks like this:

       xDscWebService PSDSCPullServer 
         { 
             Ensure                  = 'Present' 
             EndpointName            = 'PSDSCPullServer' 
             Port                    = 443 
             PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer" 
             CertificateThumbPrint   = $certificateThumbPrint          
             ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
             ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
             State                   = 'Started'
             UseSecurityBestPractices = $false
             DisableSecurityBestPractices = 'SecureTLSProtocols'
             DependsOn               = '[WindowsFeature]DSCServiceFeature'                         
         }

Please note I had snapshot before configuring the server I reverted back and ran the pull server runbook.

The above link got broken

Hello,
I’ve been struggling with this issue for a while.

Client protocol version is invalid. Request header should contain ProtocolVersion 2.0

I set

DisableSecurityBestPractices = ‘SecureTLSProtocols’

, also went to the registry and created the value [TLSX.X/Client]“Enabled”=dword:00000001 under all TLS keys (as Frederik Kacsmarck states) and rebooted. Did not work. Afterwards, I deleted the TLSX.X keys from the registry (as Jeff suggests), rebooted and did not work neither.

The message when setting the LCM on a node stills the same:

Error registering the DSC agent with the server https://vmdt01.dggh.es:8080/PSDSCPullServer.svc. The inner erros is: Could not register DSC Agent with AgentId 09AC59BC-90C1-11E8-A14F-000C296AF402 with the server https://vmdt01.dggh.es:8080/PSDSCPullServer.svc/Nodes(AgentId='09AC59BC-90C1-11E8-A14F-000C296AF402')..

I suspect I’ll have to redo the box.