4

I'm having difficulties joining a Windows machine to Azure DSC automation. I'm getting the following error:

Registration of the Dsc Agent with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX failed. The underlying error is: The attempt to register Dsc Agent with AgentId
XXXXXXXXXXXXXXXXXXXXXX with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXX') returned unexpected response code
Unauthorized. .
    + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    + PSComputerName        : AZURE-TEST

Here is my meta mof config

param (
[Parameter(Mandatory=$True)]
        [String]$RegistrationUrl,

        [Parameter(Mandatory=$True)]
        [String]$RegistrationKey,

        [Parameter(Mandatory=$True)]
        [String[]]$ComputerName,

        [Int]$RefreshFrequencyMins = 30,

        [Int]$ConfigurationModeFrequencyMins = 15,

        [String]$ConfigurationMode = "ApplyAndMonitor",

        [String]$NodeConfigurationName

)

[DscLocalConfigurationManager()]
Configuration DscMetaConfigs
{

    param
    (
        [Parameter(Mandatory=$True)]
        [String]$RegistrationUrl,

        [Parameter(Mandatory=$True)]
        [String]$RegistrationKey,

        [Parameter(Mandatory=$True)]
        [String[]]$ComputerName,

        [Int]$RefreshFrequencyMins = 30,

        [Int]$ConfigurationModeFrequencyMins = 15,

        [String]$ConfigurationMode = "ApplyAndMonitor",

        [String]$NodeConfigurationName,

        [Boolean]$RebootNodeIfNeeded= $False,

        [String]$ActionAfterReboot = "ContinueConfiguration",

        [Boolean]$AllowModuleOverwrite = $False,

        [Boolean]$ReportOnly = $False
    )

    if(!$NodeConfigurationName -or $NodeConfigurationName -eq "")
    {
        $ConfigurationNames = $null
    }
    else
    {
        $ConfigurationNames = @($NodeConfigurationName)
    }

    if($ReportOnly)
    {
    $RefreshMode = "PUSH"
    }
    else
    {
    $RefreshMode = "PULL"
    }

    Node $ComputerName
    {

        Settings
        {
            RefreshFrequencyMins = $RefreshFrequencyMins
            RefreshMode = $RefreshMode
            ConfigurationMode = $ConfigurationMode
            AllowModuleOverwrite = $AllowModuleOverwrite
            RebootNodeIfNeeded = $RebootNodeIfNeeded
            ActionAfterReboot = $ActionAfterReboot
            ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins
        }

        if(!$ReportOnly)
        {
        ConfigurationRepositoryWeb AzureAutomationDSC
            {
                ServerUrl = $RegistrationUrl
                RegistrationKey = $RegistrationKey
                ConfigurationNames = $ConfigurationNames
            }

            ResourceRepositoryWeb AzureAutomationDSC
            {
            ServerUrl = $RegistrationUrl
            RegistrationKey = $RegistrationKey
            }
        }

        ReportServerWeb AzureAutomationDSC
        {
            ServerUrl = $RegistrationUrl
            RegistrationKey = $RegistrationKey
        }
    }
}

DscMetaConfigs -RegistrationUrl $RegistrationUrl -RegistrationKey $RegistrationKey -ComputerName $env:COMPUTERNAME -NodeConfigurationName $NodeConfigurationName

I have a script that allows an end user to put in the necessary information (Registration keys, URL etc..), generates the meta mof then feeds it to the LCM. But I get the aforementioned error when I try to execute.

Here is the relevant DSC event error log

Job {6E7C0C83-BD69-11E7-BD75-005056852B86} : 
Http Client XXXXXXXXXXXXXXXXXXXXXX failed for WebReportManager for configuration 
FullyQualifiedErrorId :ReportManagerSendStatusReportUnsuccessful
 CategoryInfo:InvalidResult: (:) [], InvalidOperationException
 ExceptionMessage:The attempt to send status report to the server https://azureserver/accounts/XXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXXXXX')/SendReport returned unexpected response code Unauthorized.
, InnerException
.

Does anybody have any ideas on what could be the problem? Given the error I'm assuming it's permissions/authentication related, but I'm not sure what it could besides the key, which I've double checked to make sure is correct.

John Doe
  • 93
  • 1
  • 8

2 Answers2

1

I had the exact same problem, and finally I found a solution.

tldr;

Delete all various DSC-Oaas certificates on the server (using Powershell):

 gci cert: -Recurse | where friendlyname -eq "DSC-OaaS Client Authentication" | Remove-Item -Verbose

Then register the server to Azure Automation.

Explaination

Looking through the DSC logs in EventViewer, I found some entries that looked interesting. Notice the Job identifier.

Log level Error

Looking further down the list of entries, making sure to look at entries with the same Job identifier, I found an entry telling me which certificate was used in the communication to Azure Automation:

Log level Information

I located the certificate in the local machine certificate store, together with a bunch of other similar certificates.

Found the cert

All certificates

When I deleted all certificates with friendlyname = DSC-OaaS Client Authentication

gci cert: -Recurse | where friendlyname -eq "DSC-OaaS Client Authentication" | Remove-Item -Verbose

..and registred the server successfully to Azure Automation.

Community
  • 1
staale.skaland
  • 111
  • 2
0

You could get Registration keys, URL on Azure Portal.

enter image description here

More information please refer to this official document.

Community
  • 1
Shui shengbao
  • 3,503
  • 1
  • 10
  • 20
  • Please ensure [WMF 5](https://www.microsoft.com/en-us/download/details.aspx?id=54616) is installed. – Shui shengbao Oct 31 '17 at 07:10
  • The machine is Windows 10, and has Powershell 5.1 installed. And I'm using the primary access key from the page you mentioned. Unfortunately, I've been getting that error though. Are there any other reasons for that error to occur? – John Doe Oct 31 '17 at 14:44
  • @JohnDoe Do you try this [config](https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#generating-dsc-metaconfigurations). – Shui shengbao Nov 01 '17 at 01:05
  • The config in the link is the one I've been using. It appears to work on some machines but it doesn't work on a specific set of machines within a specific subnet. The strange part is that there are no ACL for any traffic going out from there. Still investigating. – John Doe Nov 02 '17 at 15:47
  • @JohnDoe Do you have some firewall rules in your VM? For test, could you disable firewall and test again. – Shui shengbao Nov 03 '17 at 01:12
  • It works sometimes, and other times it doesn't work. It's fairly variable. I might test it on the same system, it runs fine. Test it again in 10 minutes, it'll fail. And even when it fails with the error I mentioned before, I'll observe at times that the server will actually still join to Azure and pull it's configuration. I've eliminated the network, and the script as being the culprits since I've even tested it by logging in on the machine via my Azure account on Powershell and pulling the metamof that needs to be run. – John Doe Nov 15 '17 at 17:40