I'm trying to create my first DSC pull configuration. My node server can read its .mof files if I store them in a directory on the node server, but it can't access its configuration .mof from a configuration-repository-folder because it seems to not have read-permissions to that folder where the .mof and .mof.checksum files are. This might be a result of the fact that the LCM of a node server by default uses the local-SYSTEM-credentials, and not the user login credentials. I cannot set the LCM credential value.
The pull server is up and running (confirmed). The .mof and .checklist.mof files are stored in a network shared folder "\myNetworkShares\DSC-Configs".
Here is how I configure the LCM of my node server, where I set the credential of the ConfigurationRepositoryShare
[DSCLocalconfigurationManager()]
Configuration LCM_CLIENT_PULL
{
Node $AllNodes.NodeName
{
Settings {
AllowModuleOverwrite = $True
ConfigurationMode = 'ApplyAndAutoCorrect'
RefreshMode = 'Pull'
ConfigurationID = $node.Guid
CertificateID = $node.ThumbPrint
}
ConfigurationRepositoryShare DSCSMB {
Credential = $node.Credential
Sourcepath = "\\myNetworkShares\DSC-Configs"
}
}
}
I attempt to invoke my node server to run its configs by typing
Update-DscConfiguration -ComputerName myNodeServerName -Wait -Verbose
And I receive an error: (NOTE: error doesn't occur when .mof is stored in a directory on my node server, to which it has read permissions!)
The file \\myNetworkShares\DSC-Configs\name.mof is not found.
+ CategoryInfo : ObjectNotFound: (\\myNetworkSha...name.mof:String) [], CimException
+ FullyQualifiedErrorId : DSCFileFileNotFound,Microsoft.PowerShell.DesiredStateConfiguration.DownloadManager.FileGetAct
ionCommand
+ PSComputerName : myNodeServerName
I'm trying to change the credential attribute so that my node server can access the config .mof file, by including my credentials in the following line of code:
Set-DSCLocalConfigurationManager -ComputerName myNodeServerName -Path c:\LocationOfMyNodeMetaDataMofFile –Verbose -Credential $myCreds
However, the credential attribute never appear as populated. How can I change the credential attribute of the LCM on my node server???
link to LCM config image
More notes:
I'm avoiding the encryption temporarily by allowing plain text password in the pull-node LCM-configuration .meta.mof file.
I can see that the credential was written to the myNodeServer.meta.mof file before using Set-DSCLocalConfigurationManager
There is a known issue with the credential parameter in a file based pull server. Can you try setting it up with read access for everyone as described in this blog http://nanalakshmanan.com/blog/Push-Config-Pull-Module/
Related
I am having an issue with this Powershell script. I am completely new to powershell. I am trying to automate a specific process. I am attempting to create a script that can take an image, move it to another folder on another drive, then send a message box to a different computer on the domain letting the user know the file transfer has been completed. I was able to get the script to move the file from one location to another the works correctly. I was able to display a message box as well but when I try to add an image to the message box I get the following error below. Also, I have no idea how to send this messagebox to a different computer other than the one the script is running on. Help please.
Cannot convert argument "icon", with value:
"C:\Users\austin.holmes\Downloads\botpic.jpg", for "Show" to type
"System.Windows.MessageBoxImage": "Cannot convert value
"C:\Users\austin.holmes\Downloads\botpic.jpg" to type
"System.Windows.MessageBoxImage". Error: "Unable to match the
identifier name C:\Users\austin.holmes\Downloads\botpic.jpg to a
valid enumerator name. Specify one of the following enumerator names
and try again: None, Hand, Error, Stop, Question, Exclamation,
Warning, Asterisk, Information"" At line:9 char:1+
[System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage)
CategoryInfo : NotSpecified: (:) [], MethodException
FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
CODE:
$_SourcePath = "C:\dummy.txt"
$_DestinationPath = "D:\"
Copy-item –path $_SourcePath –destination $_DestinationPath
$msgButton = [System.Windows.MessageBoxButton]::OK
$msgTitle = “Little Sis Sync Agent Bot!”
$msgbody = “Little Sis Sync Agent files have been moved. Thank me later. :]”
$msgImage = 'C:\Users\austin.holmes\Downloads\botpic.jpg'
[System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage)
I tried the Invoke-Command and I get the follwing error
$_SourcePath = "C:\Users\austin.holmes\Desktop\dummy.txt"
$_DestinationPath = "C:\"
Copy-item –path $_SourcePath –destination $_DestinationPath
Invoke-Command -ComputerName AHC-L80316-AH -ScriptBlock{
$msgButton = [System.Windows.MessageBoxButton]::'OK'
$msgTitle = “Little Sis Sync Agent Bot!”
$msgbody = “Little Sis Sync Agent files have been moved!”
$msgImage = 'Warning'
[System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage)}
[AHC-L80316-AH] Connecting to remote server AHC-L80316-AH failed with
the following error message : The client cannot connect to the
destination specified in the request. Verify that the service on the
destination is running and is accepting requests. Consult the logs
and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the
WinRM service, run the following command on the destination to
analyze and configure the WinRM service: "winrm quickconfig". For
more information, see the about_Remote_Troubleshooting Help topic.
In a MessageBox you can only display one of the available icons in the MessageBoxImage-enumerator. As the errormessage says, use None, Hand, Error, Stop, Question, Exclamation, Warning, Asterisk or Information
To show your own images, you will have to created a separate form.
To run code on a remote computer (in this case your own), use Invoke-Command with computername and scriptblock as parameters. Take a lock at The following link:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7
Summary
As part of our build process on DevOps, I'm trying to copy over the build artifact to a specific folder on an internal network share. Problem is, although the build agent is on our internal network, the DevOps service does not have permissions to access any of the network shares.
I think I can get around this by supplying valid login credentials in the PowerShell script that does the work, but I'm having trouble getting the credentials to be accepted. Though viewing the folder structure without credentials seems to be possible, actually making modifications (create/delete files and/or folders) is giving me access denied or authentication denied messages.
What I've Tried
At first, I was doing a very simple create folder command:
# NETWORK_SHARE would be the internal IP of the target public folder on the network, like 12.345.678.90
New-Item -Path "NETWORK_SHARE\path\to\folder" -ItemType Directory
But that was giving me an Access Denied error:
New-Item : Access to the path 'folder' is denied.
Then I did some research and thought that perhaps if I supply the credentials of a valid user, it would allow me to do this. Here's the simple test command. It's supposed to create a new folder in a specified location:
$username = "MyUsername"
$password = ConvertTo-SecureString "MyPassword" -AsPlainText -Force
$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
# NETWORK_SHARE would be the internal IP of the target public folder on the network, like 12.345.678.90
Invoke-Command -ComputerName "NETWORK_SHARE" -ScriptBlock { New-Item -Path $args[0] -ItemType Directory } -Cred $credentials -Authentication Credssp -ArgumentList "NETWORK_SHARE\path\to\folder"
The error that I'm getting is the following:
Connecting to remote server NETWORK_SHARE failed with the following error message : The WinRM client cannot process the request. CredSSP
authentication is currently disabled in the client configuration. Change the client configuration and try the request again. CredSSP authentication must also be enabled in the server configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com
It doesn't even look like it's trying to authenticate, it just immediately spits back the error above. I'm not sure how to go about debugging this. I can make changes to the build agent if necessary, but I do not have the ability to change any configuration on the target network share, as that is maintained by the IT team and they are very strict about opening up our drives to the internet. Is there a way to authenticate successfully to create a new folder on the network share without changing any configuration on the target?
I ended up taking a non-Powershell approach to this. Since I had access to the build agent, I configured the DevOps service to run with the credentials of a valid user instead of the default "Network Service" user. This granted the DevOps service all the permissions it needed, and I was able to write a trivial PS script that creates/copies/deletes folders on the network share.
I'm new to DSC and I've been trying for days now to have my meta-configuration working with an SMB pull server, to no avail.
Context:
Target nodes are Win 2012 R2 servers, members of a same domain
I can only use PS 4.0
I can't give read access to everyone on SMB share on pull server
I don't want to have pull mode relying on custom modules to be functional (only base PS 4.0 installation)
My authoring node is currently my test target node
I tried to use New-SelfsignedCertificateEx.ps1 but can't get it to run on my Windows 7
I'm using a self-signed certificate generated on Windows 10 with requested KUs and EKUs
My meta-configuration works with an SMB share without credentials (hosted by test target node itself / read access granted to everyone)
I've been searching the web but only found code examples or questions about credentials passed to a DSC resource. I haven't found an example of PS 4.0 code where a live PSCredential object (retrieved from Get-Credential cmdlet) gets encrypted on-the-fly to a meta-configuration mof.
I've tried to transpose numerous examples (including from here and here), but I'm unable to have my credentials encrypted and still get that well-known message each time:
ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'Credential' OF TYPE 'LocalConfigurationManager': Converting and
storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog:
http://go.microsoft.com/fwlink/?LinkId=393729
At line:190 char:16
+ $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
Errors occurred while processing configuration 'MetaConfigurationForPull'.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2223 char:5
+ throw $errorRecord
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (MetaConfigurationForPull:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration
Here's my code:
# Getting credentials for filer connection (CIFS share for pulling MOF files)
$cred = Get-Credential -Message 'Provide credentials for CIFS share hosting configuration files:'
Configuration MetaConfigurationForPull {
Param (
[PSCredential] $Credential
)
LocalConfigurationManager {
ConfigurationID = "f28a102c-71c9-43a1-abbb-a944ec7cb5cd";
CertificateID = $AllNodes.Thumbprint;
Credential = $Credential;
RefreshMode = "PULL";
RebootNodeIfNeeded = $false;
DownloadManagerName = "DscFileDownloadManager";
DownloadManagerCustomData = #{SourcePath = '\\smb_pull_server\smb_share\mofs\batch_server'};
}
}
$ConfigData= #{
AllNodes = #(
#{
# The name of the node we are describing
NodeName = "localhost"
# The path to the .cer file containing the
# public key of the Encryption Certificate
# used to encrypt credentials for this node
CertificateFile = "D:\node_rdp_cert.cer"
# The thumbprint of the Encryption Certificate
# used to decrypt the credentials on target node
Thumbprint = "d78334010df5dee5de1c7529e9419a4bb841e618"
};
);
}
MetaConfigurationForPull -Credential $cred -ConfigurationData $ConfigData -Output "D:\meta\batch_server"
I've also found that post which talks about some regression on PS 5.0 and where this guy states he had everything working like a charm on PS 4.0.
Am I missing something in the code above?
Any help would be much appreciated.
Thanks
As long as this is just a test environment, you can add:
PSDscAllowPlainTextPassword = $true
to your configuration.
Example: here.
I'm trying to create a software distribution point to deploy internal applications to azure virtual machines with Azure Automation DSC.
These msi based applications then gets copied to the local vm by the DSC File Resource and installed by the Package DSC Resource
I've tried to do so with an Azure Storage Account. The Storage File Feature provides an UNC Share which is accessible by username and password and therefore would seem like an easy solution to create a software dist point.
These are the crucial parts of my DSC Configuration ( *.file just used for sample reason )
$storageCredential = Get-AutomationPSCredential -Name "PackageStorage"
LocalConfigurationManager
{
#DebugMode = 'All'
RebootNodeIfNeeded = $true
}
File CopyPackagesFolder
{
DestinationPath = "C:\packages"
Credential = $storageCredential
Ensure = "Present"
SourcePath = "\\*.file.core.windows.net\packages\"
Type = "Directory"
Recurse = $true
}
This only works the very first time it is executed by LCM. After the first successful execution is fails with the following message:
A specified logon session does not exist. It may already have been
terminated. An error occurs when accessing the network share with the
specified credential. Please make sure the credential is correct and
the network share is accessible. Note that Credential should not be
specified with the local path. The related file/directory is:
\*.file.core.windows.net\packages.
What do I miss?
Can you verify that the account has not changed before second DSC run by doing "net use" directly on the share using these credentials?
I have created a simple DSC script which is the standard one I assume for downloading IIS.
configuration IISInstall
{
node VISUALSTUDIOVM
{
WindowsFeature IIS
{
Ensure = "Present"
Name = "Web-Server"
}
}
}
I am trying to create an Azure virtual machine from Powershell.
What I do is:
I upload this configuration file to my azure storage account.
Publish-AzureVMDscConfiguration -ConfigurationPath C:\AzureVirtualNetwork\Installiis.ps1 -StorageContext $context -Force
I create a $vm variable and set the DSC extension
$vm = Set-AzureVMDSCExtension -VM $vm -ConfigurationArchive "Installiis.ps1.zip"
I then update the $vm
$vm | Update-AzureVM
I get the operation success message, but the IIS does not get installed on the machine.
Am I missing something. The $vm I create is Windows server 2012 R2 machine.
The same DSC script when I run from after creating my machine using Start-DscConfiguration and specifying the MOF path it works fine.
The log on the target machine is as follows:
When I check the log file , I get this error, what needs to be done
[01/14/2015 23:34:20.81] Executing: C:\Packages\Plugins\Microsoft.Powershell.DSC\1.5.0.0\bin\enable.cmd
[01/14/2015 23:34:23.14] Execution Complete.
#
Execution Output:
VERBOSE: Verifying OS Version...
VERBOSE: OS Version: 6.3.9600.0
VERBOSE: Server OS: True
VERBOSE: OS is supported; enabling extension.
Execution Error:
C:\Packages\Plugins\Microsoft.Powershell.DSC\1.5.0.0\bin\enable.ps1 : Error enabling the DSC Extension: The DSC Extension was
not installed correctly, please check the logs on the VM.
At C:\Packages\Plugins\Microsoft.Powershell.DSC\1.5.0.0\bin\pre-enable.ps1:51 char:5
+ & $scriptRoot\enable.ps1 -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,enable.ps1
#
Command C:\Packages\Plugins\Microsoft.Powershell.DSC\1.5.0.0\bin\enable.cmd of Microsoft.Powershell.DSC has exited with Exit code: 0
plugin (name: Microsoft.Powershell.DSC, version: 1.5.0.0) completed successfully.
Two things I would recommend:
#kevmar is correct, the node localhost is correct
Try a later O/S version. The O/S your on is running 1.5.0.0 of the DSC extension although there is at least 1.9.0.0 version. Try a guest VM image -ImageName 'a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-201502.01-en.us-127GB.vhd' or later.
I would also check the name of you .zip file in your storage container. Azure storage uses lowercase. when you run the command:
$vm = Set-AzureVMDSCExtension -VM $vm -ConfigurationArchive "Installiis.ps1.zip"
change the .zip name to "installiis.ps1.zip"