- Newest
- Most votes
- Most comments
I have an update. It turns out that we had some GPO settings (Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Encrypting File System) that were using old certificates from before I started at this organization. They were expired. I removed those certificates from the GPO, ran gpupdate on all my test machines, and now 'AWS-ApplyDSCMofs' is working as intended.
I'd suggest checking these settings.
One thing I noticed in the applydscmof.ps1 file. The $env variable is different compared to other run documents that I have looked at. It shows:
if ($mm.S3Modules.Contains($moduleKey))
{
$moduleDir = "$env:TMP\DSCModules"
While another article references the temp area on a windows instance as $env:TEMP
Here for example: https://docs.amazonaws.cn/en_us/systems-manager/latest/userguide/sysman-install-managed-win.html
Hi,
Thank you for reporting this issue. We will look into this and get back to you. We have tried to repro this locally with no success although it is not exactly equivalent - we used a aws instance with activation code to simulate on-prem instance.
We will send an update as soon as we find more information.
Regards,
Upender
I tried another vm, non domain joined, using the same role. I also modified the role to have the full s3 access policy by amazon, to test whether it was an S3 permissions issue. The output looks a little different now, but same result.
I am using the service role: AmazonEC2RunCommandRoleForManagedInstances
VERBOSE: [2018-12-17 20:37:41.287] Sending HTTP Get request to
'https://s3-us-east-2.amazonaws.com/aws-ssm-us-east-2/statemanagerdocumentspayl
oad/AWS-ApplyDSCMofs/AWS-ApplyDSCMofs-20181115.ps1'
VERBOSE: [2018-12-17 20:37:41.631] Received response with status code
NotModified
VERBOSE: [2018-12-17 20:37:41.655] Local file matches remote file, no content
was downloaded.
VERBOSE: [2018-12-17 20:37:41.678] Importing script functions
VERBOSE: [2018-12-17 20:37:42.193] Importing AWSPowerShell module
VERBOSE: [2018-12-17 20:37:44.177] Ensuring AWSPowerShell module is v3.3.270.0
or higher
VERBOSE: [2018-12-17 20:37:44.187] AWSPowerShell module is at or above the
minimum required version. Installed: 3.3.428.0
VERBOSE: [2018-12-17 20:37:44.190] Ensuring AWS RegionEndpoint can be obtained
by FallbackRegionFactory
VERBOSE: [2018-12-17 20:38:00.069] Ensuring AWSCredentials can be obtained
from FallbackCredentialsFactory
VERBOSE: [2018-12-17 20:38:00.089] Ensuring we can retrieve the instance Id of
the machine
VERBOSE: [2018-12-17 20:38:00.117] Retrieving instanceID from SSM environment
variable
VERBOSE: [2018-12-17 20:38:00.146] Starting function InvokeComplianceRun
(called from l
---Output truncated---
----------ERROR-------
C:\ProgramData\Amazon\SSM\InstanceData\mi-020b50196866dcec0\document\orchestrat
ion\feba1115-1b8e-476b-89a0-a4b76db02907\RunPowerShell_script.ps1 :
##################################################################
Error Message
##################################################################
Failed to download file: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRequest</Code><Message>The authorization mechanism you
have provided is not supported. Please use AWS4-HMAC-SHA256.</Message><RequestI
d>A5B79C168ADA1F49</RequestId><HostId>5A7w9I37lTu1QHgotjiTt9ONrt5m4MGFmHE0CPcU4
L1V6pPoWKRZv2YiEFdcWd4EAslp9fhvD5A=</HostId></Error> (line 1959)
##################################################################
Failing command
##################################################################
throw "Failed to download file: $er"
##################################################################
Base Exception
##################################################################
System.Management.Automation.RuntimeException: Failed to download file: <?xml
version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRequest</Code><Message>The authorization mechanism you
ha
---Error truncated----
Edited by: kleinberger on Dec 17, 2018 12:52 PM
Something must have been updated. It's working fine today now. I plan on testing multiple mof's next.
Actually, this has something to do with joining a vm to the domain. Works all day long on a non-domain server 2012r2vm. I have another vm joined to the domain, and it will not download the mof file to a temp directory. I'm looking at IE domain trusts and security settings. I think it's something to do with how the applymof script is pulling down the mof file. In the powershell logs, there is a step that is different between the 2 servers. The failing one has something to the effect:
"Dynamic Parameters HelpMessage=The dynamic parameter is required for Find-Module and Install-Module"
Edited by: kleinberger on Dec 21, 2018 4:40 PM
This definitely breaks once a vm joins the domain. If I disjoin it, and reboot, it starts working again immediately. The vm is in the default computers OU, which doesn't have that much being enforced. I have tried manually turning on the items being enforced by group policy on the non domain joined vm, to see if I can find if it's a policy item causing the behavior. I have not been able to replicate by just turning on by hand these policy items.
The apply mof file will not download to the C:\Windows\Temp directory once the vm is joined to a domain. The filename on a working vm is AWS-ApplyDSCMofs-20181130.ps1. There is also a folder that gets created named DSCMofs, and one name Microsoft.PackageManagement.
The permissions on the Temp folder are the same for joined and non-joined.
Hi,
We are suspecting something wrong with the proxy server when VM is joined to a domain. There is verbose logging option in the document parameters. When you create an association or run the DSC document via Run Command, can you enable verbose logging and send us the logs?
Regards,
Upender
Here is the verbose output. I'm able to do an invoke web request from powershell on the vm and get to all of the described ps1 files in the scripts. Not sure what is going on. This vm is in an OU with not much gpo applied.
Works fine without domain join. Continues to work after domain join, but once I manually removed the C:\Windows\Temp\ dsc files used, and try to apply the association....it fails with this:
stdout:
VERBOSE: [2019-02-07 13:27:40.683] Sending HTTP Get request to
'https://s3-us-east-2.amazonaws.com/aws-ssm-us-east-2/statemanagerdocumentspayload/AWS-ApplyDSCMofs/AWS-ApplyDSCMofs-20
181207.ps1'
VERBOSE: [2019-02-07 13:27:41.329] Received response with status code OK
VERBOSE: [2019-02-07 13:27:41.346] Local file did not exist, or did not match remote file ETag (MD5) value. New content
was downloaded.
Exiting with code '219'
stderr:
C:\ProgramData\Amazon\SSM\InstanceData\mi-0d81776e7dce96ccd\document\orchestration\6905e7e2-630b-46b0-b493-5cb4dfc40676
\RunPowerShell_script.ps1 :
##################################################################
Error Message
##################################################################
Exception calling ".ctor" with "6" argument(s): "Access to the path 'C:\Windows\TEMP\AWS-ApplyDSCMofs-20181207.ps1' is
denied." (line 219)
##################################################################
Failing command
##################################################################
$fs = New-Object System.IO.FileStream($scriptPath, [IO.FileMode]::OpenOrCreate, [IO.FileAccess]::ReadWrite,
[IO.FileShare]::Read, 4096, [IO.FileOptions]::Encrypted)
##################################################################
Base Exception
##################################################################
System.UnauthorizedAccessException: Access to the path 'C:\Windows\TEMP\AWS-ApplyDSCMofs-20181207.ps1' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights,
FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean
bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize,
FileOptions options)
##################################################################
PSGarbage
##################################################################
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,_script.ps1
failed to run commands: exit status 219
Have you had a look at the encryption option ([IO.FileOptions]::Encrypted)? Can you run it without that option.
I found that attempting to encrypt files under authority "nt authority\system" will fail with access denied in C:\Windows\Temp.
Edited by: OZaws on Jun 27, 2019 8:27 AM
Hi there, hoping to revive this thread.
I encountered the exact same error on our domain-joined instances when I attempted to implement DSC using the 'AWS-ApplyDSCMofs' document. I created a test instance and confirmed it occurs on a brand new, domain-joined instance. The instance is joined using a copied 'AWS-JoinDirectoryServiceDomain' document.
After unbinding the instance from the domain through Control Panel, the 'AWS-ApplyDSCMofs' document executed as expected. Then after binding the instance back to the domain using SSM, 'AWS-ApplyDSCMofs' continued to function correctly. Something about unbinding and rebinding fixed it.
Can anyone confirm similar behavior?
I'm confirming that it's failing in the same way still.
It has to be something related to security or trust settings once joined to the domain.
It continues to work after a domain join if that Temp document is already populated from the first run without domain join, but if I delete it....the process fails and it's unable to grab the .ps1 file again.
