Failure joining on-prem to Azure DSC Automation

yamfiddler · October 30, 2017, 2:55pm

Hello,

I’m having difficulties joining a Windows machine to Azure DSC automation. I’m getting the following error:

Registration of the Dsc Agent with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX failed. The underlying error is: The attempt to register Dsc Agent with AgentId
XXXXXXXXXXXXXXXXXXXXXX with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXX') returned unexpected response code
Unauthorized. .
    + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    + PSComputerName        : AZURE-TEST

Here is my meta mof config

param (
[Parameter(Mandatory=$True)]
        [String]$RegistrationUrl,

        [Parameter(Mandatory=$True)]
        [String]$RegistrationKey,

        [Parameter(Mandatory=$True)]
        [String[]]$ComputerName,

        [Int]$RefreshFrequencyMins = 30,

        [Int]$ConfigurationModeFrequencyMins = 15,

        [String]$ConfigurationMode = "ApplyAndMonitor",

        [String]$NodeConfigurationName
           
)

[DscLocalConfigurationManager()]
Configuration DscMetaConfigs
{

    param
    (
        [Parameter(Mandatory=$True)]
        [String]$RegistrationUrl,

        [Parameter(Mandatory=$True)]
        [String]$RegistrationKey,

        [Parameter(Mandatory=$True)]
        [String[]]$ComputerName,

        [Int]$RefreshFrequencyMins = 30,

        [Int]$ConfigurationModeFrequencyMins = 15,

        [String]$ConfigurationMode = "ApplyAndMonitor",

        [String]$NodeConfigurationName,

        [Boolean]$RebootNodeIfNeeded= $False,

        [String]$ActionAfterReboot = "ContinueConfiguration",

        [Boolean]$AllowModuleOverwrite = $False,

        [Boolean]$ReportOnly = $False
    )

    if(!$NodeConfigurationName -or $NodeConfigurationName -eq "")
    {
        $ConfigurationNames = $null
    }
    else
    {
        $ConfigurationNames = @($NodeConfigurationName)
    }

    if($ReportOnly)
    {
    $RefreshMode = "PUSH"
    }
    else
    {
    $RefreshMode = "PULL"
    }

    Node $ComputerName
    {

        Settings
        {
            RefreshFrequencyMins = $RefreshFrequencyMins
            RefreshMode = $RefreshMode
            ConfigurationMode = $ConfigurationMode
            AllowModuleOverwrite = $AllowModuleOverwrite
            RebootNodeIfNeeded = $RebootNodeIfNeeded
            ActionAfterReboot = $ActionAfterReboot
            ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins
        }

        if(!$ReportOnly)
        {
        ConfigurationRepositoryWeb AzureAutomationDSC
            {
                ServerUrl = $RegistrationUrl
                RegistrationKey = $RegistrationKey
                ConfigurationNames = $ConfigurationNames
            }

            ResourceRepositoryWeb AzureAutomationDSC
            {
            ServerUrl = $RegistrationUrl
            RegistrationKey = $RegistrationKey
            }
        }

        ReportServerWeb AzureAutomationDSC
        {
            ServerUrl = $RegistrationUrl
            RegistrationKey = $RegistrationKey
        }
    }
}

DscMetaConfigs -RegistrationUrl $RegistrationUrl -RegistrationKey $RegistrationKey -ComputerName $env:COMPUTERNAME -NodeConfigurationName $NodeConfigurationName

I have a script that allows an end user to put in the necessary information (Registration keys, URL etc…), generates the meta mof then feeds it to the LCM. But I get the aforementioned error when I try to execute.

Here is the relevant DSC event error log

Job {6E7C0C83-BD69-11E7-BD75-005056852B86} : 
Http Client XXXXXXXXXXXXXXXXXXXXXX failed for WebReportManager for configuration 
FullyQualifiedErrorId :ReportManagerSendStatusReportUnsuccessful
 CategoryInfo:InvalidResult: (:) [], InvalidOperationException
 ExceptionMessage:The attempt to send status report to the server https://azureserver/accounts/XXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXXXXX')/SendReport returned unexpected response code Unauthorized.
, InnerException
.

Does anybody have any ideas on what could be the problem?

geraldomagella · October 30, 2017, 5:34pm

Hey,
I struggled with this as well. and I ended up with getting my config from local and reporting to Azure.

Settings
{
RefreshMode = ‘Pull’
RefreshFrequencyMins = 30
ConfigurationModeFrequencyMins = 15;
ConfigurationMode =“ApplyAndAutocorrect”;
ActionAfterReboot = “ContinueConfiguration”
AllowModuleOverwrite = $true;
RebootNodeIfNeeded = $true
}

    ConfigurationRepositoryWeb MYLOCALPULLSERVER
    {
        ServerURL = 'https://LOCALDSCPULL:8080/PSDSCPullServer.svc'
        RegistrationKey = 'COMPUTER_GUID'
        ConfigurationNames = "NAME_OF_CONFIG"
    }

    #Report to Azure Automation.
    ReportServerWeb AzureAutomationDSC
    {
        ServerUrl = "https://wcus-agentservice-XXX.azure-automation.net/accounts/"
        RegistrationKey = "EKGJpnXXXXXXXXX__EncryptionKeyLikeRegistrationKey___5BiUbBY3Lnjd3MN5pJ0kmw=="
    }

Can you try something like this…

Note that RegistrationKey to AZURE is the key that you’ll get from Portal on Account Settings -> Keys.

Hope that helps.

yamfiddler · October 31, 2017, 9:12am

Unfortunately, my business requirements don’t fit in with that solution. Adding a local pull server to each location is not an option.

The key used was the primary one in Account Settings -> Keys and it still fails. I’ll keep trying, if I come up with a solution I’ll make sure to post it here.

yamfiddler · October 31, 2017, 10:06am

Update!

So I tested my script on a Windows 2008 Server (Upgraded powershell to 5.1), and it connected without a problem. So whatever the issue is it seems to be affecting Windows 10 Enterprise/That virtual machine only… I’ll try and do some more testing to see if I can narrow the problem down more. If anybody has any ideas feel free to post them.

Edit:
So it appears to continue fail on fresh versions of Windows 2016 and Windows 10 Enterprise

michael-greene · November 1, 2017, 7:57am

With exactly the same script? In the past when I have hit this error it was either in my script or something was preventing network traffic. I’m happy to work with you on this if you would like to DM me on Twitter - @migreene.

yamfiddler · November 1, 2017, 10:30am

@Michael Thanks for the offer, I followed you and sent you a tweet, follow me back so I can DM you.

Regarding the script:
The script does multiple things to get the machine ready it’s purposes. Everything else is fine, but once it gets to the part where it’s joined to Azure, that’s when it fails. The section basically looks like this

#get the necessary input, no empty strings allowed
do {
        $url = Read-Host "Enter registration URL "  
    }  while ([string]::IsNullOrEmpty($url))

    do { 
        $key = Read-Host "Enter registration key "
    }  while ([string]::IsNullOrEmpty($key))

    do { 
        $NodeConf = Read-Host "Enter configuration name "
    } while ([string]::IsNullOrEmpty($NodeConf))

    $compn = $env:COMPUTERNAME

# Create the metamof
try {
      Write-host "Executing meta configuration..." -ForegroundColor Yellow -BackgroundColor Black
      .\nodeconfig.PS1 -RegistrationUrl $url -RegistrationKey $key -ComputerName $compn -NodeConfigurationName $NodeConf
    }
    catch {
        Write-host "Error when building the NODE configuration. Make sure NODE config exists" 
    }
    
# Start the LCM configuration
    try {
        Set-DscLocalConfigurationManager .\DscMetaConfigs\ -Verbose -Force -ErrorAction Stop     <----------Failure
    }
    catch {
        Write-Host "Error occured! `n" -ForegroundColor Yellow -BackgroundColor Red
    }

So the .\nodeconfig.PS1 is the meta config I posted in my first post, the url,key,config,computer are given, the meta config is created, then executed. And that’s when this error occurs.

I disabled the Windows firewall on the machine that I’m testing and there are no network restrictions from the subnet the machine is on that is executing the script. I checked the metaconfig to make sure all the values were correct and I didn’t see anything wrong with it. I did a line by line comparison between the metaconfig generated on the Windows 08 server and the one generated on the Windows 2016 and it was all the same. Frankly I’m a bit stumped.

yamfiddler · November 1, 2017, 10:34am

So I just tried on my personal machine and it worked fine… The only discernible difference that I can tell, is that the 08 server and my machine are licensed windows machines. The Win Server 2016 and Win 10 Enterprise 2016 are on eval licenses just for testing purposes, can anybody confirm if this has anything to do with it?

michael-greene · November 1, 2017, 10:42am

No, no connection between DSC and the licensing state of the node

yamfiddler · November 7, 2017, 4:47pm

So I’ve done a lot of testing to try and narrow it down. As Michael mentioned before, it was either the network or the script. In this case it appears to be the script. When I hardcode the url, key and node configuration. It works without any problems. When I use the aforementioned configuration in the OP it fails, only some of the time? It’s strange. It’s appears that the variables aren’t being passed in correctly causing the authentication to fail which why I keep getting the “Unauthorized” message.

I have also noticed that some dsc clients will still join even after the failure message.

Topic		Replies	Views
Registration failure on Azure DSC Automation DSC	0	245	October 30, 2017
Unable to register on-prem machine with Azure Automation Pull Server DSC	2	236	November 27, 2016
Registration of the Dsc Agent with the server failed DSC	1	720	December 30, 2020
register Dsc Agent DSC	6	431	August 10, 2015
DSC Agent failed... The underlying error is: The attempt to register DSC Agent DSC	12	169	November 25, 2016

Failure joining on-prem to Azure DSC Automation

Related Topics