Hi
Using Windows server 2012R2 with the KB2883200 installed. I have set up a Pull Server using a certificate.
Iam unable to get my node to fetch confiurations from the pull server.
Using the get.xDscOperation I find the following error:
WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command, GET Url: PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction. WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command with server url: https://vm06.contoso.com:8080/PSDSCPullServer.svc. Attempting to get the action from pull server using Download Manager WebDownloadManager. Configuration Id is 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b. Checksum is . Compliance status is true. Configuration is sent from computer NULL by user sid S-1-5-21-195968190-741174349-770780043-93293. This event indicates that failure happens when LCM is trying to get the configuration from pull server using download manager WebDownloadManager. ErrorId is 0x1. ErrorDetail is Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction. WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command, GET call result: Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction.. Message One or more errors occurred. HResult -2146233088 StackTrack at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) at Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(HttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord) WebDownloadManager processed certificate: [Subject] CN=DscSecure
and
Thumbprint] 12437D58F28E4E52B63B0FBCF0E34CF4C8BD8797 RemoteCertificateNameMismatch, RemoteCertificateChainErrors. Configuration is sent from computer NULL by user sid S-1-5-21-195968190-741174349-770780043-93293. This event indicates that failure happens when LCM is trying to get the configuration from pull server using download manager WebDownloadManager. ErrorId is 0x1. ErrorDetail is Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction. WebDownloadManager for configuration 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b Do-DscAction command, GET call result: Failed to get the action from server https://vm06.contoso.com:8080/PSDSCPullServer.svc/Action(ConfigurationId='3f2fb53d-129c-44ff-8fcc-cc2a55ab738b')/GetAction.. Message One or more errors occurred. HResult -2146233088 StackTrack at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) at Microsoft.PowerShell.DesiredStateConfiguration.Commands.GetDscActionCommand.IssueRequest(HttpClient client, String subLink, String& responseStatus, ErrorRecord& errorRecord) WebDownloadManager processed certificate: [Subject] CN=DscSecure
Trying to open my pull server site on target node or pull server gives me “There’s a problem with this website’s security certificate”. I have not manually set a certificate onto the pull server site in IIS.
My configuration is as follows:
#CERT $Certificate = "dscSecure" $certSubject = "CN=$Certificate" $keysFolder = Join-Path $env:SystemDrive -ChildPath "Keys" $cert = dir Cert:\LocalMachine\My | ? { $_.Subject -eq $certSubject } if (! (Test-Path $keysFolder )) { md $keysFolder | Out-Null } #Copy publickey to folder $certPath = Export-Certificate -Cert $cert -FilePath (Join-Path $keysFolder -ChildPath "$Certificate.cer") -Force #CERT PUBLIC for PULL SERVER #This is done on the configuration server, The pfx (private key will only be on the node server) #Import the public key to trustedroot if it does not already exist there. $Existingcert = @() $Existingcert += dir Cert:\LocalMachine\Root | % {$_.Subject} If(!($Existingcert.where({$_ -eq $certSubject}))) { Import-Certificate -FilePath ($certPath.FullName) -CertStoreLocation Cert:\LocalMachine\Root > $null } #CREATE REGKEY $RegKey = [guid]::newGuid() #Current a5d8b762-5102-4082-b088-be9c671975df $Thumbprint = (Dir Cert:\LocalMachine\my | ? {$_.Subject -eq "CN=$Certificate"}).Thumbprint #12437D58F28E4E52B63B0FBCF0E34CF4C8BD8797 $ConfigurationData = @{ AllNodes = @( @{ NodeName="*" PSDscAllowPlainTextPassword=$true PSDscAllowDomainUser = $true } @{ NodeName='localhost' } ) } configuration DscWebService { param ( [string[]]$NodeName = 'localhost', [ValidateNotNullOrEmpty()] [string] $certificateThumbPrint ) Import-DSCResource -ModuleName xPSDesiredStateConfiguration Import-DscResource –ModuleName PSDesiredStateConfiguration Node $AllNodes.NodeName { WindowsFeature DSCServiceFeature { Ensure = "Present" Name = "DSC-Service" } WindowsFeature Auth { Ensure = "Present" Name = "web-windows-Auth" } xDscWebService PSDSCPullServer { Ensure = "Present" EndpointName = "PSDSCPullServer" Port = 8080 PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer" CertificateThumbPrint = $certificateThumbPrint ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" State = "Started" DependsOn = "[WindowsFeature]DSCServiceFeature" } xDscWebService PSDSCComplianceServer { Ensure = "Present" EndpointName = "PSDSCComplianceServer" Port = 9080 PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer" CertificateThumbPrint = $certificateThumbPrint State = "Started" #IsComplianceServer = $true DependsOn = @("[WindowsFeature]DSCServiceFeature","[xDSCWebService]PSDSCPullServer") } } } #RUN CONFIGURATION $MofConfigFile = DscWebService -ConfigurationData $configurationData -certificateThumbPrint $Thumbprint -OutputPath c:\Configs\PullServer # This creates a MOF at: $MofConfigDirectory = $MofConfigFile.DirectoryName ii $MofConfigDirectory #RUN MOF Start-DscConfiguration -Path $MofConfigDirectory -Wait -verbose -ComputerName "localhost" -force
Then copying certificate to node:
#NODE $Node = 'vm05' #COPY PFX TO NODE $block = { $Certificate = "dscSecure" $CertificatePwd = "Password99" $NewPath = "C:\$Certificate.pfx" $mypwd = ConvertTo-SecureString -String $CertificatePwd -Force –AsPlainText Import-PfxCertificate –FilePath $NewPath cert:\localMachine\my -Password $mypwd } Set-Content "\\share\import_sert.ps1" $block #Import private key to nodes copy "\\share\$Certificate.pfx" \\$Node\c$ copy "\\share\import_sert.ps1" \\$Node\c$ $testscriptblock = { powershell C:\import_sert.ps1 } Invoke-Command -ComputerName $Node -ScriptBlock $testscriptblock #CREATE CHECKSUM FOR MODULES New-DSCCheckSum -ConfigurationPath 'C:\Program Files\WindowsPowerShell\DscService\Modules' -OutPath 'C:\Program Files\WindowsPowerShell\DscService\Modules' /pre> Configuring the LCM#GUID FOR EACH TARGET NODE $guid = '3f2fb53d-129c-44ff-8fcc-cc2a55ab738b' #[Guid]::NewGuid().ToString() # #LCM $ConfigData = @{ AllNodes = @( @{ NodeName="*" PSDscAllowPlainTextPassword=$true PSDscAllowDomainUser = $true CertificateFile = "C:\keys\$Certificate.cer" Thumbprint = $Thumbprint } @{ NodeName = $Node NodeGuid = $guid } ) } Configuration ConfigureTargetLCMs { Node $AllNodes.NodeName { LocalConfigurationManager { CertificateId = $Node.Thumbprint ConfigurationID = $Node.NodeGuid; RefreshMode = "PULL"; AllowModuleOverwrite = $true DownloadManagerName = "WebDownloadManager"; RebootNodeIfNeeded = $true; RefreshFrequencyMins = 15; ConfigurationModeFrequencyMins = 15; ConfigurationMode = "ApplyAndAutoCorrect"; DownloadManagerCustomData = @{ ServerUrl = "https://vm06.contoso.com:8080/PSDSCPullServer.svc"} } } } ConfigureTargetLCMs -ConfigurationData $ConfigData -nodename $Node -OutputPath c:\Configs\TargetNodes New-DSCCheckSum -path C:\Configs\TargetNodes #REMOTE SET Write-Host "Starting CimSession" $pwd = read-host $pass = ConvertTo-SecureString $pwd -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential ("contoso\user", $pass) $cim = New-CimSession -ComputerName $Node -Credential $cred Write-Host "Writing config" Set-DscLocalConfigurationManager -CimSession $cim -Path C:\Configs\TargetNodes -Verbose # read the config settings back to confirm Get-DscLocalConfigurationManager -CimSession $cim #TEST pull cd '\\share' .\Invoke-PullonNode.ps1 -computername $Node cd C:\windows\System32 #REMOVE OLD dscConfiguration from node: $Session = New-CimSession -ComputerName $node -Credential $cred Remove-DscConfigurationDocument -Stage Current -CimSession $SessionHere is the configuration I want the node vm05 to get:
$ConfigurationData = @{ AllNodes = @( @{ NodeName="*" PSDscAllowPlainTextPassword=$true PSDscAllowDomainUser = $true } @{ NodeName="vm05" NodeGuid = '3f2fb53d-129c-44ff-8fcc-cc2a55ab738b' # $guid # CertificateFile = 'C:\Keys\dscSecure.cer' Thumbprint = $Thumbprint # '12437D58F28E4E52B63B0FBCF0E34CF4C8BD8797' } ) } Configuration WindowsManagementFrameWork5 { param ([Parameter(Mandatory=$true)] [ValidateNotNullorEmpty()] [PSCredential] $Credential) Import-DscResource –ModuleName PSDesiredStateConfiguration Import-DscResource –ModuleName xWindowsUpdate Node $AllNodes.NodeName { xHotfix PowerShell5 { Ensure = "Present" Id = "KB3134758" Path = "\\share\Win8.1AndW2K12R2-KB3134758-x64.msu" Credential = $cred } } } WindowsManagementFrameWork5 -ConfigurationData $configurationData -Credential $cred -OutputPath C:\Configs\TargetNodes #Here I change name of the mof to 3f2fb53d-129c-44ff-8fcc-cc2a55ab738b.mof, then run the: New-DSCCheckSum -path C:\Configs\TargetNodes #Then copy this to the C:\Program Files\WindowsPowerShell\DscService\Configuration. I have made sure that i have both modules zipped with their checksum; xPSDesiredStateConfiguration_3.12.0.0.zip and xWindowsUpdate_2.5.0.0.zipAny tips or advice are welcome!
Brgs
Bjørn.