Powershell DSC client can't register with pull server

Question

For the past few days, I have been trying to create a development/test environment where I can automate deployments with DSC.

I have been using WMF5.1.

The pullserver has been set up using the example: Sample_xDscWebServiceRegistrationWithSecurityBestPractices

From xPSDesiredStateConfiguration 5.1.0.0.

configuration Sample_xDscWebServiceRegistrationWithSecurityBestPractices
{
param 
     (
    [string[]]$NodeName = 'CORE-O-DSCPull.CORE.local',

    [ValidateNotNullOrEmpty()]
    [string] $certificateThumbPrint,

    [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
    [ValidateNotNullOrEmpty()]
    [string] $RegistrationKey # A guid that clients use to initiate conversation with pull server
)

Import-DSCResource -ModuleName xPSDesiredStateConfiguration -ModuleVersion '5.1.0.0'

Node $NodeName
{
    WindowsFeature DSCServiceFeature
    {
        Ensure = "Present"
        Name   = "DSC-Service"            
    }

    xDscWebService PSDSCPullServer
    {
        Ensure                  = "Present"
        EndpointName            = "PSDSCPullServer"
        Port                    = 8080
        PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
        CertificateThumbPrint   = $certificateThumbPrint         
        ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
        ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"            
        State                   = "Started"
        DependsOn               = "[WindowsFeature]DSCServiceFeature" 
        RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"   
        AcceptSelfSignedCertificates = $true
        UseSecurityBestPractices = $true
    }

    File RegistrationKeyFile
    {
        Ensure          = 'Present'
        Type            = 'File'
        DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
        Contents        = $RegistrationKey
    }
}
}

I apply the MOF file to my pull server without issues. I create a meta MOF using the same example:

[DSCLocalConfigurationManager()]
configuration Sample_MetaConfigurationToRegisterWithSecurePullServer
  {
   param
    (
    [ValidateNotNullOrEmpty()]
    [string] $NodeName = 'CORE-O-DSCPull.CORE.local',

    [ValidateNotNullOrEmpty()]
    [string] $RegistrationKey, #same as the one used to setup pull server in previous configuration

    [ValidateNotNullOrEmpty()]
    [string] $ServerName = 'CORE-O-DSCPull.CORE.local' #node name of the pull server, same as $NodeName used in previous configuration
)

Node $NodeName
{
    Settings
    {
        RefreshMode        = 'Pull'
    }

    ConfigurationRepositoryWeb CORE-O_PullSrv
    {
        ServerURL          = "https://$ServerName`:8080/PSDSCPullServer.svc" # notice it is https
        RegistrationKey    = $RegistrationKey
        ConfigurationNames = @('Basic')
    }   
}
}

I apply the LCM settings to my pull-server without a problem. I can create a simple basic.mof and use DSC to apply it. All this works fine.

Next, I create another meta.mof file for another node to let it register to my pull-server. I use the same configuration as above except for the nodename, which I change to the name of the other node. I use the command:

Set-DscLocalConfigurationManager -ComputerName <nodename> -path <pathtonewmetamof>

This command works correctly. That machine can then use DSC to apply the same basic.mof without problems.

Here comes the problem: I restart my pull server and node, create a new basic.mof and try to apply this to both my machines. This procedure works fine on the pull server itself, but my node can no longer apply the basic.mof, because it will no longer register with my pull-server. I have replicated this many times, where I would install both machines from scratch and configure them. Every time I restart my machines, registration stops working. See the error below:

Registration of the Dsc Agent with the server https://CORE-O-DSCPull.CORE.local:8080/PSDSCPullServer.svc failed. The underlying error is:      Failed to register Dsc 
 Agent with AgentId 1FE837AA-C774-11E6-80B5-9830B2A0FAC0 with the server 
 https://core-o-dscpull.core.local:8080/PSDSCPullServer.svc/Nodes(AgentId='1FE837AA-C774-11E6-    80B5-9830B2A0FAC0'). .
+ CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : RegisterDscAgentCommandFailed,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
+ PSComputerName        : CORE-O-DC.CORE.local

So, my problem is that registration seems to work fine until I reboot the pull server. Does anyone have any idea what can cause this issue?

Answer 1

For those wondering if I managed to fix this, yes I did. It appears to be a bug in WMF5.0 and I was only using WMF5.1 on the pullserver. Not on the node. So I had to update that and now it is working.

Answer 2

As explained in this blog entry the low-level problem is that WMF 5.0 uses TLS 1.0 to communicate with the server, while WFM 5.1 does no longer support TLS 1.0.

In the aforementioned entry you will find two solutions: one that implies upgrading WMF in every and each of the nodes, and another that allows less secure connections by modifying the register in the server.