Powershell – Failure joining on-prem to Azure DSC Automation (Response code: Unauthorized)

azuredscpowershell

I'm having difficulties joining a Windows machine to Azure DSC automation. I'm getting the following error:

Registration of the Dsc Agent with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX failed. The underlying error is: The attempt to register Dsc Agent with AgentId
XXXXXXXXXXXXXXXXXXXXXX with the server https://azureserver/accounts/XXXXXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXX') returned unexpected response code
Unauthorized. .
    + CategoryInfo          : InvalidResult: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : RegisterDscAgentUnsuccessful,Microsoft.PowerShell.DesiredStateConfiguration.Commands.RegisterDscAgentCommand
    + PSComputerName        : AZURE-TEST

Here is my meta mof config

param (
[Parameter(Mandatory=$True)]
        [String]$RegistrationUrl,

        [Parameter(Mandatory=$True)]
        [String]$RegistrationKey,

        [Parameter(Mandatory=$True)]
        [String[]]$ComputerName,

        [Int]$RefreshFrequencyMins = 30,

        [Int]$ConfigurationModeFrequencyMins = 15,

        [String]$ConfigurationMode = "ApplyAndMonitor",

        [String]$NodeConfigurationName

)

[DscLocalConfigurationManager()]
Configuration DscMetaConfigs
{

    param
    (
        [Parameter(Mandatory=$True)]
        [String]$RegistrationUrl,

        [Parameter(Mandatory=$True)]
        [String]$RegistrationKey,

        [Parameter(Mandatory=$True)]
        [String[]]$ComputerName,

        [Int]$RefreshFrequencyMins = 30,

        [Int]$ConfigurationModeFrequencyMins = 15,

        [String]$ConfigurationMode = "ApplyAndMonitor",

        [String]$NodeConfigurationName,

        [Boolean]$RebootNodeIfNeeded= $False,

        [String]$ActionAfterReboot = "ContinueConfiguration",

        [Boolean]$AllowModuleOverwrite = $False,

        [Boolean]$ReportOnly = $False
    )

    if(!$NodeConfigurationName -or $NodeConfigurationName -eq "")
    {
        $ConfigurationNames = $null
    }
    else
    {
        $ConfigurationNames = @($NodeConfigurationName)
    }

    if($ReportOnly)
    {
    $RefreshMode = "PUSH"
    }
    else
    {
    $RefreshMode = "PULL"
    }

    Node $ComputerName
    {

        Settings
        {
            RefreshFrequencyMins = $RefreshFrequencyMins
            RefreshMode = $RefreshMode
            ConfigurationMode = $ConfigurationMode
            AllowModuleOverwrite = $AllowModuleOverwrite
            RebootNodeIfNeeded = $RebootNodeIfNeeded
            ActionAfterReboot = $ActionAfterReboot
            ConfigurationModeFrequencyMins = $ConfigurationModeFrequencyMins
        }

        if(!$ReportOnly)
        {
        ConfigurationRepositoryWeb AzureAutomationDSC
            {
                ServerUrl = $RegistrationUrl
                RegistrationKey = $RegistrationKey
                ConfigurationNames = $ConfigurationNames
            }

            ResourceRepositoryWeb AzureAutomationDSC
            {
            ServerUrl = $RegistrationUrl
            RegistrationKey = $RegistrationKey
            }
        }

        ReportServerWeb AzureAutomationDSC
        {
            ServerUrl = $RegistrationUrl
            RegistrationKey = $RegistrationKey
        }
    }
}

DscMetaConfigs -RegistrationUrl $RegistrationUrl -RegistrationKey $RegistrationKey -ComputerName $env:COMPUTERNAME -NodeConfigurationName $NodeConfigurationName

I have a script that allows an end user to put in the necessary information (Registration keys, URL etc..), generates the meta mof then feeds it to the LCM. But I get the aforementioned error when I try to execute.

Here is the relevant DSC event error log

Job {6E7C0C83-BD69-11E7-BD75-005056852B86} : 
Http Client XXXXXXXXXXXXXXXXXXXXXX failed for WebReportManager for configuration 
FullyQualifiedErrorId :ReportManagerSendStatusReportUnsuccessful
 CategoryInfo:InvalidResult: (:) [], InvalidOperationException
 ExceptionMessage:The attempt to send status report to the server https://azureserver/accounts/XXXXXXXXXXXXXXXXX/Nodes(AgentId='XXXXXXXXXXXXXXXXXXXXXXXXX')/SendReport returned unexpected response code Unauthorized.
, InnerException
.

Does anybody have any ideas on what could be the problem? Given the error I'm assuming it's permissions/authentication related, but I'm not sure what it could besides the key, which I've double checked to make sure is correct.

Best Answer

I had the exact same problem, and finally I found a solution.

tldr;

Delete all various DSC-Oaas certificates on the server (using Powershell):

 gci cert: -Recurse | where friendlyname -eq "DSC-OaaS Client Authentication" | Remove-Item -Verbose

Then register the server to Azure Automation.

Explaination

Looking through the DSC logs in EventViewer, I found some entries that looked interesting. Notice the Job identifier.

Looking further down the list of entries, making sure to look at entries with the same Job identifier, I found an entry telling me which certificate was used in the communication to Azure Automation:

I located the certificate in the local machine certificate store, together with a bunch of other similar certificates.

When I deleted all certificates with friendlyname = DSC-OaaS Client Authentication

gci cert: -Recurse | where friendlyname -eq "DSC-OaaS Client Authentication" | Remove-Item -Verbose

..and registred the server successfully to Azure Automation.

Related Solutions

Powershell – Kill process, then uninstall application–Can I do this with PowerShell, over 400 computers, from a txt file

While this is technically possible, there's probably a better way to go about it.

And speaking of better ways to go about it, You could do this in a GPO with a few lines of code as a startup or shutdown script, which is how I handle this. With a few more lines of code you could log the results of checking for the presence of this thing and/or uninstalling it, which would undoubtedly be useful in your compliance efforts.

If a GPO-linked startup/shutdown script's not an option for whatever reason, I think I'd use PSExec to kill the process on a list of computers read in from file and then script the uninstall in an appropriate language. Seem to me that this is a lot easier in VB, for example.

a=WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\UninstallString")

If a<>"" Then

WshShell.Run(a&" /S"),1,True
i=i+1

end if

(Goodbye Google Toolbar, in that example which I wrote or copied a few years back. Copied, probably. I am rather lazy.)

Without debugging the PS script you copied, I'd point out that you might be running a different PS version, different PS modules installed/loaded and/or there might be some dependencies that your XP machines don't have in place that's causing problems.

Powershell DSC File copy – Workgroup machines

Typically I approach a problem like this in one of three ways:

Create a scheduled task on the remote machine with explicit credential, to do the Start-DscConfiguration locally. It will run exactly as local user for purposes of the next hop in remoting.
Consider creating and using a JEA endpoint. This is more complicated, but heads you down the path towards simplifying the ongoing credential management of managing remote machines.
You may be able to create a mapped drive to the remote share with explicit creds using something like a Script resource

Beware doing remote Start-DscConfiguration if you have additional configurations that may do network affecting changes.
For instance, creating the previously mentioned JEA endpoints via the JustEnoughAdministration resource can reset WinRM and prematurely interrupt both local and remote Start-DscConfiguration calls that -Wait.

The scheduled task is immune to both network affecting issues within the Configuration, as well as simple network flakiness from other environment factors. The big trick is if you need to then monitor for the stabilization of the configuration, which is an exercise for the reader (or a future question/answer.)