个人中心
gpt4 book ai didi

windows - DSC Pull 服务器无法注册 Windows 10 (1709) 客户端

转载 作者:太空宇宙 更新时间:2023-11-03 13:33:41 25 4
gpt4 key购买 nike

问题:无法向拉取服务器注册 DSC windows 10(版本 1709)客户端。

背景:下面是在将客户端更新到版本 1709 之前已实现并正常工作以注册 Windows 10 客户端节点(版本:1511)的环境/配置的详细列表。拉服务器及其证书已使用以下配置重新创建,以使配置尽可能简单以证明问题。

拉取服务器系统详细信息:

操作系统:Windows Server 2012 R2

WinVer:版本 6.3(内部版本 9600)

PS版本:5.1.14409.1012

xPSDesiredStateConfiguration: 7.0.0.0

拉取服务器配置:

拉取服务器是使用位于 here 的 Microsoft 示例脚本配置的在页面标题下:“设置网络拉取服务器”(为方便起见复制在下面)

configuration Sample_xDscPullServer
{ 
param  
( 
        [string[]]$NodeName = $Env:computername
 ) 

 Import-DSCResource -ModuleName xPSDesiredStateConfiguration
 Import-DSCResource –ModuleName PSDesiredStateConfiguration

 Node $NodeName 
 { 
     WindowsFeature DSCServiceFeature 
     { 
         Ensure = 'Present'
         Name   = 'DSC-Service'             
     } 

     xDscWebService PSDSCPullServer 
     { 
         Ensure                   = 'Present' 
         EndpointName             = 'PSDSCPullServer' 
         Port                     = 8080 
         PhysicalPath             = "$env:SystemDrive\inetpub\PSDSCPullServer" 
         CertificateThumbPrint    = {My CertificateThumbPrint}         
         ModulePath               = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
         ConfigurationPath        = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
         State                    = 'Started'
         DependsOn                = '[WindowsFeature]DSCServiceFeature'     
         UseSecurityBestPractices = $false
     } 

    File RegistrationKeyFile
    {
        Ensure          = 'Present'
        Type            = 'File'
        DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
        Contents        = {Generated GUID using powershell new-Guid}
    }
}
}

拉取服务器证书信息:

拉取服务器使用this 安装了自签名证书(我怀疑问题出在 1709 更新中实现的新证书规定) Microsoft 脚本标题为:“New-SelfSignedCertificateEx.ps1”

证书是使用来自 "Securing the Mof" 的以下代码创建的及以上来自微软的功能:

     New-SelfsignedCertificateEx `
    -Subject "CN=${ENV:ComputerName}" `
    -EKU 'Document Encryption' `
    -KeyUsage 'KeyEncipherment, DataEncipherment' `
    -SAN ${ENV:ComputerName} `
    -FriendlyName 'DSC Credential Encryption certificate' `
    -Exportable `
    -StoreLocation 'LocalMachine' `
    -KeyLength 2048 `
    -ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
    -AlgorithmName 'RSA' `
    -SignatureAlgorithm 'SHA256'
   # Locate the newly created certificate
   $Cert = Get-ChildItem -Path cert:\LocalMachine\My `
    | Where-Object {
        ($_.FriendlyName -eq 'DSC Credential Encryption certificate') `
        -and ($_.Subject -eq "CN=${ENV:ComputerName}")
    } | Select-Object -First 1

拉取客户端系统详细信息(工作 LCM 注册)

操作系统:Windows 10 专业版

WinVer:版本 1511(内部版本 10586.63)

PS版本:5.0.10586.63

xPSDesiredStateConfiguration: 7.0.0.0

拉取客户端 LCM 配置:

从以下位置找到的简单配置:"Setting up a pull client using configuration names" 

[DSCLocalConfigurationManager()]
configuration PullClientConfigNames
{
    Node $Target
    {
        Settings
        {
            RefreshMode = 'Pull'
            RefreshFrequencyMins = 30
            RebootNodeIfNeeded = $true
        }
        ConfigurationRepositoryWeb CONTOSO-PullSrv
        {
            ServerURL = "https://${env:computername}:8080/PSDSCPullServer.svc"
            RegistrationKey = {Correct registration key from pull server}
            ConfigurationNames = @($Target)
        }
    }
}
PullClientConfigNames

现在,在我将拉取客户端更新到 Windows 10 版本 1709 之前,上述所有代码都有效,并且客户端能够在拉取服务器上注册。但是,在应用 Windows 更新后,客户端不再向拉取服务器注册。

更新后拉取客户端系统详细信息

操作系统:Windows 10 专业版

WinVer:版本 1709(内部版本 16299.19)

PS版本:5.1.16299.19

xPSDesiredStateConfiguration: 7.0.0.0

拉客户端错误(事件查看器)

(Microsoft-Windows-Desired State Configuration/Operational)在尝试注册服务器期间。 

Job {7BD76187-B9A2-11E7-8ACF-080027D18DCF} : 
Http Client A3B5331D-B51C-11E7-8ACE-080027D18DCF failed to register Dsc Agent: 
+ FullyQualifiedErrorId : RegisterDscAgentCommandFailed
+ CategoryInfo : InvalidResult: (:) [], InvalidOperationException
+ ExceptionMessage : Failed to register Dsc Agent with AgentId A3B5331D-B51C-11E7-8ACE-080027D18DCF with the server https://dsc-ws1264-co02:8080/PSDSCPullServer.svc/Nodes(AgentId='A3B5331D-B51C-11E7-8ACE-080027D18DCF').
+ InnerException : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---
 --- End of inner exception stack trace ---
 at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
 at Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand.IssueRequest(DotNetHttpClient client, String subLink, ErrorRecord& errorRecord)
 ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
 at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
 at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---
 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
 at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---<---

最后的说明:似乎在更新拉取客户端后,Microsoft 更改了被视为有效证书的内容。请注意来自客户端的堆栈跟踪中的以下行:

The remote certificate is invalid according to the validation procedure

Microsoft 是否已停止支持拉取服务器的自签名证书?也许有一个新的组策略设置允许新的 Windows 版本 (1709) 接受自签名证书。无论哪种方式,我的资源都已耗尽。在提到的操作系统/版本上使用上述配置很容易重现此问题。非常感谢任何有关如何进一步调试/修复此问题的见解。

最佳答案

Powershell.org/forums 上发布此问题后 唐·琼斯很快回答了这个问题。事实证明,为您的拉取服务器使用自签名证书以获得“假”安全测试环境现在已被 Windows 锁定,不再受支持。这是为了防止开发人员在生产环境中不小心使用它。

我现在的解决方案是为我们的测试实验室提供一个标准的不安全的 http pull 服务器,直到我们需要一个用于生产环境的真实证书。

关于windows - DSC Pull 服务器无法注册 Windows 10 (1709) 客户端,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46939614/

25 4 0
文章推荐: ssl - 安装SSL证书的私钥密码
文章推荐: c# - MVC3 项目从另一个属性设置 StringLength 验证值
文章推荐: c# - C# 中的 IDisposable 实现 - 是否可选处置注入(inject)的 IDisposable OK?
文章推荐: ssl - 如何创建仅支持 TLS 1.3 的 tlslite-ng 服务器?
太空宇宙
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com