4

I'm having difficulties joining a Windows machine to Azure DSC automation. I'm getting the following error:

 Registration of the Dsc Agent with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX failed. The underlying error is: The attempt to register Dsc Agent with AgentId XXXXXXXXXXXXXXXXXXXXXX with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXX') returned unexpected response code Unauthorized. . + CategoryInfo : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException + FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand + PSComputerName : AZURE-TEST

Here is my meta mof config

 param ( [Parameter(Mandatory=$True)] [String]$RegistrationUrl, [Parameter(Mandatory=$True)] [String]$RegistrationKey, [Parameter(Mandatory=$True)] [String[]]$ComputerName, [Int]$RefreshFrequencyMins = 30, [Int]$ConfigurationModeFrequencyMins = 15, [String]$ConfigurationMode = "ApplyAndMonitor", [String]$NodeConfigurationName ) [DscLocalConfigurationManager()] Configuration DscMetaConfigs { param ( [Parameter(Mandatory=$True)] [String]$RegistrationUrl, [Parameter(Mandatory=$True)] [String]$RegistrationKey, [Parameter(Mandatory=$True)] [String[]]$ComputerName, [Int]$RefreshFrequencyMins = 30, [Int]$ConfigurationModeFrequencyMins = 15, [String]$ConfigurationMode = "ApplyAndMonitor", [String]$NodeConfigurationName, [Boolean]$RebootNodeIfNeeded= $False, [String]$ActionAfterReboot = "ContinueConfiguration", [Boolean]$AllowModuleOverwrite = $False, [Boolean]$ReportOnly = $False ) if(!$NodeConfigurationName -or $NodeConfigurationName -eq "") { $ConfigurationNames = $null } else { $ConfigurationNames = @($NodeConfigurationName) } if($ReportOnly) { $RefreshMode = "PUSH" } else { $RefreshMode = "PULL" } Node $ComputerName { Settings { RefreshFrequencyMins = $RefreshFrequencyMins RefreshMode = $RefreshMode ConfigurationMode = $ConfigurationMode AllowModuleOverwrite = $AllowModuleOverwrite RebootNodeIfNeeded = $RebootNodeIfNeeded ActionAfterReboot = $ActionAfterReboot ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins } if(!$ReportOnly) { ConfigurationRepositoryWeb AzureAutomationDSC { ServerUrl = $RegistrationUrl RegistrationKey = $RegistrationKey ConfigurationNames = $ConfigurationNames } ResourceRepositoryWeb AzureAutomationDSC { ServerUrl = $RegistrationUrl RegistrationKey = $RegistrationKey } } ReportServerWeb AzureAutomationDSC { ServerUrl = $RegistrationUrl RegistrationKey = $RegistrationKey } } } DscMetaConfigs -RegistrationUrl $RegistrationUrl -RegistrationKey $RegistrationKey -ComputerName $env:COMPUTERNAME -NodeConfigurationName $NodeConfigurationName

I have a script that allows an end user to put in the necessary information (Registration keys, URL etc..), generates the meta mof then feeds it to the LCM. But I get the aforementioned error when I try to execute.

Here is the relevant DSC event error log

 Job {6E7C0C83-BD69-11E7-BD75-005056852B86} : Http Client XXXXXXXXXXXXXXXXXXXXXX failed for WebReportManager for configuration FullyQualifiedErrorId :ReportManagerSendStatusReportUnsuccessful CategoryInfo:InvalidResult: (:) [], InvalidOperationException ExceptionMessage:The attempt to send status report to the server https://azureserver/accounts/XXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXXXXX')/SendReport returned unexpected response code Unauthorized. , InnerException .

Does anybody have any ideas on what could be the problem? Given the error I'm assuming it's permissions/authentication related, but I'm not sure what it could besides the key, which I've double checked to make sure is correct.

Improve this question

2 Answers 2

Reset to default
1

I had the exact same problem, and finally I found a solution.

tldr;

Delete all various DSC-Oaas certificates on the server (using Powershell):

 gci cert: -Recurse | where friendlyname -eq "DSC-OaaS Client Authentication" | Remove-Item -Verbose

Then register the server to Azure Automation.

Explaination

Looking through the DSC logs in EventViewer, I found some entries that looked interesting. Notice the Job identifier.

Log level Error

Looking further down the list of entries, making sure to look at entries with the same Job identifier, I found an entry telling me which certificate was used in the communication to Azure Automation:

Log level Information

I located the certificate in the local machine certificate store, together with a bunch of other similar certificates.

Found the cert

All certificates

When I deleted all certificates with friendlyname = DSC-OaaS Client Authentication

gci cert: -Recurse | where friendlyname -eq "DSC-OaaS Client Authentication" | Remove-Item -Verbose

..and registred the server successfully to Azure Automation.

Improve this answer
0

You could get Registration keys, URL on Azure Portal.

enter image description here

More information please refer to this official document.

Improve this answer
6
  • Please ensure WMF 5 is installed. Commented Oct 31, 2017 at 7:10
  • The machine is Windows 10, and has Powershell 5.1 installed. And I'm using the primary access key from the page you mentioned. Unfortunately, I've been getting that error though. Are there any other reasons for that error to occur? Commented Oct 31, 2017 at 14:44
  • @JohnDoe Do you try this config. Commented Nov 1, 2017 at 1:05
  • The config in the link is the one I've been using. It appears to work on some machines but it doesn't work on a specific set of machines within a specific subnet. The strange part is that there are no ACL for any traffic going out from there. Still investigating. Commented Nov 2, 2017 at 15:47
  • @JohnDoe Do you have some firewall rules in your VM? For test, could you disable firewall and test again. Commented Nov 3, 2017 at 1:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.