问题: 无法使用拉服务器注册DSC Windows 10(版本1709)客户端。
背景:下面是在将客户端更新到版本1709之前已实现并正常注册Windows 10客户端节点(版本:1511)的环境/配置的详细列表。已使用以下配置重新创建服务器及其证书,以使配置尽可能简单以证明问题。
拉服务器系统详细信息:
操作系统:Windows Server 2012 R2
WinVer:版本6.3(Build 9600)
PSVersion:5.1.14409.1012
xPSDesiredStateConfiguration:7.0.0.0
拉服务器配置:
使用位于页面标题下的here的微软示例脚本配置了拉取服务器:"设置Web拉取服务器" (为方便起见,下面复制)
configuration Sample_xDscPullServer
{
param
(
[string[]]$NodeName = $Env:computername
)
Import-DSCResource -ModuleName xPSDesiredStateConfiguration
Import-DSCResource –ModuleName PSDesiredStateConfiguration
Node $NodeName
{
WindowsFeature DSCServiceFeature
{
Ensure = 'Present'
Name = 'DSC-Service'
}
xDscWebService PSDSCPullServer
{
Ensure = 'Present'
EndpointName = 'PSDSCPullServer'
Port = 8080
PhysicalPath = "$env:SystemDrive\inetpub\PSDSCPullServer"
CertificateThumbPrint = {My CertificateThumbPrint}
ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
State = 'Started'
DependsOn = '[WindowsFeature]DSCServiceFeature'
UseSecurityBestPractices = $false
}
File RegistrationKeyFile
{
Ensure = 'Present'
Type = 'File'
DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
Contents = {Generated GUID using powershell new-Guid}
}
}
}
提取服务器证书信息:
pull服务器安装了一个自签名证书(我怀疑问题出在1709更新中实施的新证书规则),使用this Microsoft脚本标题为:" New-SelfSignedCertificateEx.ps1&# 34;
证书是使用以下来自"Securing the Mof"及以上Microsoft的函数的代码创建的:
New-SelfsignedCertificateEx `
-Subject "CN=${ENV:ComputerName}" `
-EKU 'Document Encryption' `
-KeyUsage 'KeyEncipherment, DataEncipherment' `
-SAN ${ENV:ComputerName} `
-FriendlyName 'DSC Credential Encryption certificate' `
-Exportable `
-StoreLocation 'LocalMachine' `
-KeyLength 2048 `
-ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
-AlgorithmName 'RSA' `
-SignatureAlgorithm 'SHA256'
# Locate the newly created certificate
$Cert = Get-ChildItem -Path cert:\LocalMachine\My `
| Where-Object {
($_.FriendlyName -eq 'DSC Credential Encryption certificate') `
-and ($_.Subject -eq "CN=${ENV:ComputerName}")
} | Select-Object -First 1
拉客户端系统详细信息(工作LCM注册)
操作系统:Windows 10 Pro
WinVer:版本1511(Build 10586.63)
PSVersion:5.0.10586.63
xPSDesiredStateConfiguration:7.0.0.0
拉客户端LCM配置:
从"Setting up a pull client using configuration names"
找到简单配置[DSCLocalConfigurationManager()]
configuration PullClientConfigNames
{
Node $Target
{
Settings
{
RefreshMode = 'Pull'
RefreshFrequencyMins = 30
RebootNodeIfNeeded = $true
}
ConfigurationRepositoryWeb CONTOSO-PullSrv
{
ServerURL = "https://${env:computername}:8080/PSDSCPullServer.svc"
RegistrationKey = {Correct registration key from pull server}
ConfigurationNames = @($Target)
}
}
}
PullClientConfigNames
在我将pull客户端更新到Windows 10版本1709之前,所有上述代码都工作了,客户端能够注册到pull服务器。但是,在应用Windows更新后,客户端不再向pull服务器注册。
更新后拉客户端系统详细信息
操作系统:Windows 10 Pro
WinVer:版本1709(Build 16299.19)
PSVersion:5.1.16299.19
xPSDesiredStateConfiguration:7.0.0.0
拉客户端错误(事件查看器)
尝试拉服务器注册期间的(Microsoft-Windows-Desired State Configuration / Operational)。
Job {7BD76187-B9A2-11E7-8ACF-080027D18DCF} :
Http Client A3B5331D-B51C-11E7-8ACE-080027D18DCF failed to register Dsc Agent:
+ FullyQualifiedErrorId : RegisterDscAgentCommandFailed
+ CategoryInfo : InvalidResult: (:) [], InvalidOperationException
+ ExceptionMessage : Failed to register Dsc Agent with AgentId A3B5331D-B51C-11E7-8ACE-080027D18DCF with the server https://dsc-ws1264-co02:8080/PSDSCPullServer.svc/Nodes(AgentId='A3B5331D-B51C-11E7-8ACE-080027D18DCF').
+ InnerException : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand.IssueRequest(DotNetHttpClient client, String subLink, ErrorRecord& errorRecord)
---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
--- End of inner exception stack trace ---<---
最终注释: 看来,在更新了拉客户端之后,Microsoft已经更改了被认为是有效证书的内容。请注意来自客户端的堆栈跟踪的以下行:
The remote certificate is invalid according to the validation procedure
Microsoft是否已停止支持拉取服务器的自签名证书?也许有一个新的组策略设置允许新的Windows版本(1709)接受自签名证书。无论哪种方式,我的资源已经用尽。在提及操作系统/版本时,使用上述配置可以轻松重新创建此问题。任何有关如何进一步调试/修复此问题的见解将不胜感激。
答案 0 :(得分:0)
在Powershell.org/forums上发布此问题后 Don Jones迅速回答了这个问题。事实证明,使用自签名证书为您的拉取服务器提供“虚假”安全测试环境现在已被Windows锁定并且不再受支持。这是为了防止开发人员在生产环境中意外使用它。
我现在的解决方案是为我们的测试实验室配备一个标准的不安全的http pull服务器,直到我们需要一个真正的生产环境证书。