dsccommunity
Example files and setting up HTTPS Real Certificate DSC Pull Server + Client - xPSDesiredStateConfiguration Module version 8.0.0.0
I posted the following comment on: https://docs.microsoft.com/en-us/powershell/dsc/pullserver
Hi,
https://docs.microsoft.com/en-us/powershell/dsc/pullserver Comment on point 4: configuration Sample_xDscPullServer The Example configuration seems not up-2-date anymore and the example name file changed
The up-2-date example seems to be: https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/dev/Examples/Sample_xDscWebServiceRegistration.ps1 https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/dev/Examples/Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
I will post this on Github too.
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Psscriptanalyzer: The variable 'thumbprint' is assigned but never used. (PSUseDeclaredVarsMoreThanAssignments)
Own analyse: parameter mismatch: $thumbprint on line 14 should be $certificateThumbPrint to match the $certificateThumbPrint parameters on line 49 and 68
line 14: $thumbprint = (New-SelfSignedCertificate -Subject "TestPullServer").Thumbprint
line 49: CertificateThumbPrint = $certificateThumbPrint
line 68: Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
After running the corrected Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1 a warning pop-ups that the refers to the 'PSDesiredStateConfiguration' module while the experimental 'xPSDesiredStateConfiguration' is still used.
I don't even have the non-experimental 'PSDesiredStateConfiguration' module installed but i still got the Pull server running now
Powershell: Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificatethumbprint -$certificatethumbprint WARNING: The configuration 'Sample_xDscWebServiceRegistrationWithSecurityBestPractices' is loading one or more built-in resources without explicitly importing associated modules. Add Impo rt-DscResource –ModuleName 'PSDesiredStateConfiguration' to your configuration to avoid this message.
I install and import both modules now in my DSC installation: Import-DSCResource -ModuleName xPSDesiredStateConfiguration Import-DSCResource -ModuleName PSDesiredStateConfiguration
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
New? parameter is missing in example file and can be added:
Enable32BitAppOnWin64
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Please use the same case sensitive style for the following parameters + comments everywhere in the example file:
CertificateThumbPrint RegistrationKey
Here below some line examples where case sensitive is not consistent
45 CertificateThumbPrint = $certificateThumbPrint 68 # Sample_xDscWebServiceRegistration -RegistrationKey $registrationkey -certificateThumbPrint $thumbprint
67 # $registrationkey = [guid]::NewGuid() 68 # Sample_xDscWebServiceRegistration -RegistrationKey $registrationkey -certificateThumbPrint $thumbprint 111 # Sample_MetaConfigurationToRegisterWithLessSecurePullServer -RegistrationKey $registrationkey
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
It seems like i am facing SSL/TLS issues with the Security settings based on the Example file https://powershell.org/forums/topic/dsc-pull-server-with-ssl/
I am trying these settings now and play around with the Schannel SSL/TLS registry keys because of the Client Agent fails to register.
--> So i add parameter "DisableSecurityBestPractices"
DisableSecurityBestPractices ='SecureTLSProtocols'
Update: I never got the DSC Pull Server + DSC LCM Agent running with a self-signed certificate. The DSC Agent Service fails to register. With a real SSL certificate i got the setup running. DSC LCM Agent Registers perfect and i got an MOF file applying some configuration on the agent.
Currently i use the following parameters with an SSL certificate. Will try to to do the same with the real certificate with $false for AcceptSelfSignedCertificates = $true So, the configuration below did NOT work with self-signed (agent register fails)
AcceptSelfSignedCertificates = $true
UseSecurityBestPractices = $false # Caution: Setting this property to $true will reset registry values under "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL".
DisableSecurityBestPractices ='SecureTLSProtocols'
I also tried playing with ports 80/8080 and 443 in the DSC configuration and in IIS management / website port bindings, without result for the self-signed certificate setup. The setup with a real SSL certificate got running on 443, didn't try 80 or 8080 for the real SSL setup
xDscWebService PSDSCPullServer
{
Port = 443
According to the example file self-signed should work fine over https
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
The following parameter is missing in the example file:
For the DSC LCM Client, when the DSC Pull server is running with a SSL Website, the LCM agent example file needs the following parameter.
ConfigurationRepositoryWeb PSDSCPullServer
{
CertificateID = 'certificatethumbprinthere'
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
The following points are not part of some ReadMe at all:
1: Clarify generating and applying the .MOF file better to install the DSC server in the Example file or ReadMe. Currently there is nothing described.
Example clarify:
This scripts only generates a <$NodeName>.MOF file. Checksum on the .MOF file is currently not used.
The following parameters for the DSC configuration are environment/customer specific to create the .MOF file. The parameters are in the argments section. Invoke the DSC configuration script with these parameters: <Scriptfilename.ps1> -RegistrationKey $RegistrationKey -CertificateThumbPrint $CertificateThumbPrint
With the .MOF file you can apply the DSC Pull Server configuration with the Start-DscConfiguration command here below.
Start-DscConfiguration -Path <Filename not needed, checks for .MOF file with ComputerName> -ComputerName <$NodeName target server in this script> -force -verbose -wait Start-DscConfiguration -Path C:\Temp -ComputerName WTST0055 -force -verbose -wait
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Line 18: Should be "Section DSC Pull Server" instead of "Section DSC Client"
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Line 68: Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint
Line 109: Sample_MetaConfigurationToRegisterWithSecurePullServer -RegistrationKey $registrationkey
These lines affect the Arguments Section line 13/16: $thumbprint = (New-SelfSignedCertificate -Subject "TestPullServer").Thumbprint $registrationkey = [guid]::NewGuid()
The parameters are customer specific, is is not very clear that the default arguments generate a self-signed certificate and create a new registrationkey (both each run)
Better use arguments like a note what it does, and expand the parameter section.
I described it like this:
======================================== Arguments ============================================
$CertificateThumbPrint = (New-SelfSignedCertificate -Subject "<NAMEHERE>").Thumbprint # Creates new self-signed Certificate and add "CertificateThumbPrint" parameter value to .MOF file.
$RegistrationKey = [guid]::NewGuid() # Generates new RegistrationKey and add parameter value to the text file in "File RegistrationKeyFile" and "DestinationPath".
================================== Section DSC Pull Server ====================================
configuration <NAMEHERE> { param ( [string[]]$NodeName = '<HOSTNAMEHERE>',
[ValidateNotNullOrEmpty()]
[string] $CertificateThumbPrint = '<THUMBPRINTHERE>', # Generated self-signed certificate by default
[Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server. We will use new GUID by default.')]
[ValidateNotNullOrEmpty()]
[string] $RegistrationKey = '<KEYHERE>' # A guid that clients use to initiate conversation with pull server
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Line 46: EndpointName = "PSDSCPullServer"
Clarify the parameter: Name that is used for the IIS Website + "Issued To" and "Issued By" for a self signed certificate.
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Line 14+15: $CertificateThumbPrint = (New-SelfSignedCertificate -Subject "ITN_PSDSCPullServer").Thumbprint $RegistrationKey = [guid]::NewGuid()
Clarify what the arguments do: $CertificateThumbPrint Example 2b6e5914d236d594ddce355d7a6779b563932c34. Creates new Certificate + Thumbprint each run and add parameter value to new .MOF file.
$RegistrationKey Example 201dd1e3-53d6-4265-9992-6647c2ab2152. Generates new RegistrationKey each run and parameter value to new .MOF file.
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Line 43: xDscWebService PSDSCPullServer
Clarify what it installs: Installs WindowsFeature "DSCServiceFeature" which includes the IIS Web Server Role (without Management Tools)
Readme.md: xDscWebService •CertificateThumbPrint: Certificate thumbprint for creating an HTTPS endpoint. Use "AllowUnencryptedTraffic" for setting up a non SSL based endpoint.
This parameter is not part of the example file: Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Add parameter example: AllowUnencryptedTraffic = $false
But is seems like the parameter is invalid, i looked a bit into the module but it seems like some link is missing, the parameter does pop up in some files:
The member 'AllowUnencryptedTraffic' is not valid. Valid members are 'AcceptSelfSignedCertificates', 'CertificateThumbPrint', 'ConfigurationPath', 'DatabasePath', 'DependsOn ', 'DisableSecurityBestPractices', 'Enable32BitAppOnWin64', 'EndpointName', 'Ensure', 'ModulePath', 'PhysicalPath', 'Port', 'PsDscRunAsCredential', 'RegistrationKeyPath', 'State', 'UseSecurityBestPractices'.
Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
It may be usefull to mention that Remote IIS Administration is by default disabled which is needed for the DSC Pull Server.
Enabling:
# Enable IIS remote management
WindowsFeature Web-Mgmt-Service
{
Ensure = "Present"
Name = "Web-Mgmt-Service"
DependsOn = "[WindowsFeature]DSCServiceFeature"
}
Registry EnableRemoteManagement # By default installing the WindowsFeature Web-Mgmt-Service does not set this registry value
{
Ensure = "Present"
Key = "HKLM:\SOFTWARE\Microsoft\WebManagement\Server"
Valuename = "EnableRemoteManagement"
Valuetype = "Dword"
Valuedata = "1"
DependsOn = "[WindowsFeature]DSCServiceFeature"
}
Service WMSVC # Remote Administration for IIS Manager
{
Ensure = "Present"
Name = "WMSVC"
StartupType = "Automatic" # Default state is manual
State = "Running"
DependsOn = "[WindowsFeature]DSCServiceFeature"
}
Readme.md and/or Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1
Clarify/Notice would be nice about the option to use MOF File Checksum
Sample_xDscWebServiceRemoval.ps1
Also needs module (otherwise error): Import-DSCResource -ModuleName PSDesiredStateConfiguration
Also need invoke at the end of the script: xDscWebServiceRemoval