Fatal编程技术网
  • windows/
  • DSC拉式服务器无法注册Windows 10(1709)客户端

DSC拉式服务器无法注册Windows 10(1709)客户端

windows powershell ssl certificate

DSC拉式服务器无法注册Windows 10(1709)客户端,windows,powershell,ssl,certificate,dsc,Windows,Powershell,Ssl,Certificate,Dsc,问题: 无法向拉式服务器注册DSC windows 10(版本1709)客户端 背景:下面是在将客户端更新到1709版本之前,为注册windows 10客户端节点(版本:1511)而实施并正常工作的环境/配置的详细列表。已使用以下配置重新创建pull服务器及其证书,以使配置尽可能简单,以证明问题 拉取服务器系统详细信息: 操作系统:Windows Server 2012 R2 WinVer:6.3版(版本9600) PSVersion:5.1.14409.1012 xPSDesiredState

问题: 无法向拉式服务器注册DSC windows 10(版本1709)客户端

背景:下面是在将客户端更新到1709版本之前,为注册windows 10客户端节点(版本:1511)而实施并正常工作的环境/配置的详细列表。已使用以下配置重新创建pull服务器及其证书,以使配置尽可能简单,以证明问题

拉取服务器系统详细信息:

操作系统:Windows Server 2012 R2

WinVer:6.3版(版本9600)

PSVersion:5.1.14409.1012

xPSDesiredStateConfiguration:7.0.0.0

拉取服务器配置:

拉取服务器是使用位于页面标题“设置web拉取服务器”下的microsoft示例脚本配置的(为方便起见,复制如下)

拉取服务器证书信息:

pull服务器使用名为“new SelfSignedCertificateEx.ps1”的Microsoft脚本安装了自签名证书(我怀疑问题在于1709更新中实施的新证书规则)

证书是使用Microsoft的以下代码和以上功能创建的:

     New-SelfsignedCertificateEx `
    -Subject "CN=${ENV:ComputerName}" `
    -EKU 'Document Encryption' `
    -KeyUsage 'KeyEncipherment, DataEncipherment' `
    -SAN ${ENV:ComputerName} `
    -FriendlyName 'DSC Credential Encryption certificate' `
    -Exportable `
    -StoreLocation 'LocalMachine' `
    -KeyLength 2048 `
    -ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
    -AlgorithmName 'RSA' `
    -SignatureAlgorithm 'SHA256'
   # Locate the newly created certificate
   $Cert = Get-ChildItem -Path cert:\LocalMachine\My `
    | Where-Object {
        ($_.FriendlyName -eq 'DSC Credential Encryption certificate') `
        -and ($_.Subject -eq "CN=${ENV:ComputerName}")
    } | Select-Object -First 1
拉取客户端系统详细信息(工作LCM注册)

操作系统:Windows10Pro

WinVer:1511版(版本10586.63)

PSVersion:5.0.10586.63

xPSDesiredStateConfiguration:7.0.0.0

拉式客户端LCM配置:

可从以下位置找到简单配置:

现在,在我将pull客户端更新到Windows10Version1709之前,上面的所有代码都有效,并且客户端能够注册到pull服务器。但是,在应用windows update之后,客户端不再向pull服务器注册

更新后拉取客户端系统详细信息

操作系统:Windows10Pro

WinVer:1709版(版本16299.19)

PSVersion:5.1.16299.19

xPSDesiredStateConfiguration:7.0.0.0

拉取客户端错误(事件查看器)

(Microsoft Windows所需状态配置/操作)在尝试拉入服务器注册期间

Job {7BD76187-B9A2-11E7-8ACF-080027D18DCF} : 
Http Client A3B5331D-B51C-11E7-8ACE-080027D18DCF failed to register Dsc Agent: 
+ FullyQualifiedErrorId : RegisterDscAgentCommandFailed
+ CategoryInfo : InvalidResult: (:) [], InvalidOperationException
+ ExceptionMessage : Failed to register Dsc Agent with AgentId A3B5331D-B51C-11E7-8ACE-080027D18DCF with the server https://dsc-ws1264-co02:8080/PSDSCPullServer.svc/Nodes(AgentId='A3B5331D-B51C-11E7-8ACE-080027D18DCF').
+ InnerException : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---
 --- End of inner exception stack trace ---
 at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
 at Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand.IssueRequest(DotNetHttpClient client, String subLink, ErrorRecord& errorRecord)
 ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
 at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
 at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---
 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
 at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---<---
Microsoft是否已停止支持拉取服务器的自签名证书?可能有一个新的组策略设置,允许新的windows版本(1709)接受自签名证书。不管怎样,我的资源已经耗尽了。使用上述操作系统/版本上的配置很容易重新创建此问题。任何关于如何进一步调试/修复此问题的见解都将不胜感激

将此问题发布到 唐·琼斯很快回答了这个问题。事实证明,使用自签名证书使拉式服务器拥有“假”安全测试环境现在已被windows锁定,不再受支持。这是为了防止开发人员在生产环境中意外使用它

我现在的解决方案是为我们的测试实验室提供一个标准的不安全http pull服务器,直到我们需要一个用于生产环境的真实证书为止

将此问题发布到 唐·琼斯很快回答了这个问题。事实证明,使用自签名证书使拉式服务器拥有“假”安全测试环境现在已被windows锁定,不再受支持。这是为了防止开发人员在生产环境中意外使用它

我现在的解决方案是为我们的测试实验室提供一个标准的不安全http pull服务器,直到我们需要一个用于生产环境的真实证书为止

那是相当幸运的。我在那里永远也找不到任何合理的答案,尤其是从那个家伙那里;)那是相当幸运的。我在那里永远也找不到任何合理的答案,尤其是从那个家伙那里;) 
[DSCLocalConfigurationManager()]
configuration PullClientConfigNames
{
    Node $Target
    {
        Settings
        {
            RefreshMode = 'Pull'
            RefreshFrequencyMins = 30
            RebootNodeIfNeeded = $true
        }
        ConfigurationRepositoryWeb CONTOSO-PullSrv
        {
            ServerURL = "https://${env:computername}:8080/PSDSCPullServer.svc"
            RegistrationKey = {Correct registration key from pull server}
            ConfigurationNames = @($Target)
        }
    }
}
PullClientConfigNames

Job {7BD76187-B9A2-11E7-8ACF-080027D18DCF} : 
Http Client A3B5331D-B51C-11E7-8ACE-080027D18DCF failed to register Dsc Agent: 
+ FullyQualifiedErrorId : RegisterDscAgentCommandFailed
+ CategoryInfo : InvalidResult: (:) [], InvalidOperationException
+ ExceptionMessage : Failed to register Dsc Agent with AgentId A3B5331D-B51C-11E7-8ACE-080027D18DCF with the server https://dsc-ws1264-co02:8080/PSDSCPullServer.svc/Nodes(AgentId='A3B5331D-B51C-11E7-8ACE-080027D18DCF').
+ InnerException : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---
 --- End of inner exception stack trace ---
 at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
 at Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand.IssueRequest(DotNetHttpClient client, String subLink, ErrorRecord& errorRecord)
 ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
 at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
 at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---
 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
 at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
 --- End of inner exception stack trace ---<---

The remote certificate is invalid according to the validation procedure