Error using registrationkey for pull server

jeremy-murrah · March 1, 2016, 2:25pm

Trying to get a couple of clients to pull configs from a pull server, and whenever I change it from using a configuration ID to using a config name with registration key, I get this error:

MIResult: 1
Error Message: Registration of the Dsc Agent with the server https://PSDSCPullServerCert:8080/PSDSCPullServer.svc failed. The underlying error is: The attempt to register Dsc Agent with AgentId 478DDCD3-DBC9-11E5-80FD-0050569E1347 with the server https://psdscpullservercert:8080/PSDSCPullServer.svc/Nodes(AgentId=‘478DDCD3-DBC9-11E5-80FD-0050569E1347’) returned unexpected response code Unauthorized. .
Message ID: RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
Error Category: 8
Error Code: 1
Error Type: MI

I’m not really sure how to troubleshoot any further. I tried grabbing the xDSCDiagnostics module, but that didn’t really tell me anything different. I did notice that the error is the same if I purposefully mess up the registration key guid in the config. I couldn’t see any matching log files on the pull server side, but I did grab a netmon capture just to make sure it’s actually getting the traffic.

Any ideas where to go from here? I should note that the server I’m using was a pull server with version 4, and my general screw-around-with-stuff box, so it might be time to just whack it and start fresh.

donj · March 1, 2016, 4:08pm

A v4 pull server doesn’t support configuration names or registration.

jeremy-murrah · March 1, 2016, 10:58pm

it’s not v4 anymore, I installed v5 the other day when it was re-released. Just wanted to mention it in case there’s any known issues with an upgraded pull server.

ed-oconnor · March 2, 2016, 12:40am

I had a similar issue and resolved it by deleting the Web site and recreating the site by modifying the Sample_xDSCWebService.ps1 in the xPSDesiredStateConfiguration module. Also, make sure you are using the latest module version (3.7.0.0 I think).
One other thing is to ensure that the web.config file has the correct entries:

https://msdn.microsoft.com/en-us/powershell/wmf/dsc_nodeid

jeremy-murrah · March 2, 2016, 8:43am

So I built a brand new 2012R2 server, installed .net 4.5 then WMF5, downloaded the latest xPSDesiredStateConfiguration module and configured the pull server with the public example script. Couple of questions:

Should I have a PSDSCServer.svc file in c:\inetpub\PSDSCPullServer?
Should I be able to browse to https://dscpullserver:8080/PSDSCPullServer.svc from internet explorer?
Is a client authentication certificate from a trusted internal CA sufficient for SSL encryption on the pull server and does it have to have a particular subject name?
Should my PSDSCPullServer website have anonymous authentication enabled instead of windows authentication?

donj · March 2, 2016, 8:49am

Yes. Make sure the pull server role/feature is installed.
No, not really. It isn’t a web page.
A client authentication certificate isn’t an SSL certificate. But an internally issued SSL certificate would be fine.
Usually, yes.

jeremy-murrah · March 2, 2016, 9:29am

ah there it is! Some how I ended up with the line

IsComplanceServer = $True

in my xDscWebService configuration block for the pull server. Looks like that caused it to populate the folder with only the compliance engine files instead of the pull server files. No idea where that line came from, but I was doing some pretty heavy copy/paste action there. Maybe that was a throwback to some v4 config or something. Anyway, thanks for the help.

Oh and it turns out you can browse to the pull server in IE, you jus get a wad of xml. Turned out to be pretty helpful in troubleshooting though, as the 500 and 404 errors I was seeing in the browser clicked in my brain better than the same errors in the script output. I dunno.

silent-steel · March 6, 2016, 2:50am

Should probably put a sticky on this forum to not use the Sample_xPSDesiredStateConfiguration.ps1 until they actually bring it to v5 levls of documentation as the github repo states.

A FAQ or similar hint hint nudge nudge

This is going to cause some headaches

donj · March 6, 2016, 2:53am

Stuck. And if you want to author a FAQ item, I’ll add it to the site!

donj · March 7, 2016, 1:29am

Because this is stickied, I also want to point out that, as of the initial re-release of WMF5, DSC pull servers need to be on the full server with a GUI, not on Server Core. This isn’t by design, it’s a bug, but right now the dependencies aren’t getting installed on Server Core correctly. So the pull server won’t work unless it’s on full GUI, right now.

narayanan-lakshmanan · March 18, 2016, 5:34am

The documentation for setting up DSC pull server is now updated. https://msdn.microsoft.com/en-us/powershell/dsc/pullserver Following the steps as outlined in this should help you setup the pull server correctly including on server core

silent-steel · March 18, 2016, 11:49am

The online documentation wasnt that “bad”

The problem is the samples that come with the module, Even in the new updated version you just posted, you still have the ComplianceServer in the Sample_xDscWebService.ps1

michael-maher · April 12, 2016, 6:51am

Hi Arie,

Right on with your comment regarding the Samples. The Samples are important because they are used in the server set-up (you kindly gave me this pointer yesterday)

https://msdn.microsoft.com/en-us/powershell/dsc/pullserver

The Sample_xDscWebService.ps1 script in the PowerShell Gallery/PackageMgmt is March 31st 2016.

The Sample_xDscWebService.ps1 script in GitHub is April 4th 2016.
https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/dev/Examples/Sample_xDscWebService.ps1

The difference is significant. Just look at the Param block for example.

Gallery Version

    param 
    (
        [string[]]$NodeName = 'localhost',

        [ValidateNotNullOrEmpty()]
        [string] $certificateThumbPrint
    )

GitHub Version

    param  
    ( 
            [string[]]$NodeName = 'localhost', 

            [ValidateNotNullOrEmpty()] 
            [string] $certificateThumbPrint,

            [Parameter(Mandatory)]
            [ValidateNotNullOrEmpty()]
            [string] $RegistrationKey 
     )

Michael

silent-steel · April 13, 2016, 7:42am

My original comment was march 6, when the xPSDSC Resource was ver 3.7.0.0. Month and half later, were at 3.9.0.0 and they have changed it.

So perhaps Don should unstick the threads and instead leave a very distinct call to everyone to make sure they use the latest version, and to make sure any example code they see on the web should be dated march 2016 and onwards, else there will be mishaps when they run them.

I still see brand new repos on github with dsc samples using old versions of the scripts from with the old resource versions, and it make me cringe, so I try to leave a note for the repo owner, usually.

At the moment i only download from github, its faster and i get to dl dev
versions to try them.

As for that specific code you pasted, the changes are more of taste then of content. The real changes are the removal of the IsCompliance property which caused issues, back when the original question was valid.