Missing IISSelfSignedCertModule.dll on Windows 2012 R2/PS4

[mhendric]

I'm working on #506, and trying to do some manual integration testing by setting up a DSC pull server. My configuration script works just fine on my Windows 2016 / PS 5.1 server, but fails with the below error on my Windows 2012 R2 / PS 4 server. I cannot find IISSelfSignedCertModule.dll anywhere on the machine. Can someone tell me where this comes from and how I can install it?

Error: Cannot find path 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\IISSelfSignedCertModule.dll' because it does not exist.

OS: Windows 2012 R2 (6.3 Build 9600)

$psversiontable

Name Value

---

PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.19170
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2

IIS Features:

[X] Web Server (IIS)                                    Web-Server                     Installed
    [X] Web Server                                      Web-WebServer                  Installed
        [X] Common HTTP Features                        Web-Common-Http                Installed
            [X] Default Document                        Web-Default-Doc                Installed
            [X] Directory Browsing                      Web-Dir-Browsing               Installed
            [X] HTTP Errors                             Web-Http-Errors                Installed
            [X] Static Content                          Web-Static-Content             Installed
            [ ] HTTP Redirection                        Web-Http-Redirect              Available
            [ ] WebDAV Publishing                       Web-DAV-Publishing             Available
        [X] Health and Diagnostics                      Web-Health                     Installed
            [X] HTTP Logging                            Web-Http-Logging               Installed
            [ ] Custom Logging                          Web-Custom-Logging             Available
            [ ] Logging Tools                           Web-Log-Libraries              Available
            [ ] ODBC Logging                            Web-ODBC-Logging               Available
            [X] Request Monitor                         Web-Request-Monitor            Installed
            [X] Tracing                                 Web-Http-Tracing               Installed
        [X] Performance                                 Web-Performance                Installed
            [X] Static Content Compression              Web-Stat-Compression           Installed
            [ ] Dynamic Content Compression             Web-Dyn-Compression            Available
        [X] Security                                    Web-Security                   Installed
            [X] Request Filtering                       Web-Filtering                  Installed
            [ ] Basic Authentication                    Web-Basic-Auth                 Available
            [ ] Centralized SSL Certificate Support     Web-CertProvider               Available
            [ ] Client Certificate Mapping Authentic... Web-Client-Auth                Available
            [ ] Digest Authentication                   Web-Digest-Auth                Available
            [ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth                  Available
            [X] IP and Domain Restrictions              Web-IP-Security                Installed
            [ ] URL Authorization                       Web-Url-Auth                   Available
            [ ] Windows Authentication                  Web-Windows-Auth               Available
        [X] Application Development                     Web-App-Dev                    Installed
            [ ] .NET Extensibility 3.5                  Web-Net-Ext                    Available
            [X] .NET Extensibility 4.5                  Web-Net-Ext45                  Installed
            [ ] Application Initialization              Web-AppInit                    Available
            [ ] ASP                                     Web-ASP                        Available
            [ ] ASP.NET 3.5                             Web-Asp-Net                    Available
            [X] ASP.NET 4.5                             Web-Asp-Net45                  Installed
            [ ] CGI                                     Web-CGI                        Available
            [X] ISAPI Extensions                        Web-ISAPI-Ext                  Installed
            [X] ISAPI Filters                           Web-ISAPI-Filter               Installed
            [ ] Server Side Includes                    Web-Includes                   Available
            [ ] WebSocket Protocol                      Web-WebSockets                 Available
    [ ] FTP Server                                      Web-Ftp-Server                 Available
        [ ] FTP Service                                 Web-Ftp-Service                Available
        [ ] FTP Extensibility                           Web-Ftp-Ext                    Available
    [X] Management Tools                                Web-Mgmt-Tools                 Installed
        [X] IIS Management Console                      Web-Mgmt-Console               Installed
        [ ] IIS 6 Management Compatibility              Web-Mgmt-Compat                Available
            [ ] IIS 6 Metabase Compatibility            Web-Metabase                   Available
            [ ] IIS 6 Management Console                Web-Lgcy-Mgmt-Console          Available
            [ ] IIS 6 Scripting Tools                   Web-Lgcy-Scripting             Available
            [ ] IIS 6 WMI Compatibility                 Web-WMI                        Available
        [X] IIS Management Scripts and Tools            Web-Scripting-Tools            Installed
        [ ] Management Service                          Web-Mgmt-Service               Available

Script

configuration Sample_xDscWebServiceRegistration
{
    param
    (
        [string[]]$NodeName = 'localhost',

        [ValidateNotNullOrEmpty()]
        [string] $certificateThumbPrint,

        [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
        [ValidateNotNullOrEmpty()]
        [string] $RegistrationKey   # A guid that clients use to initiate conversation with pull server
    )

    Import-DSCResource -ModuleName xPSDesiredStateConfiguration

    Node $NodeName
    {
        WindowsFeature DSCServiceFeature
        {
            Ensure = "Present"
            Name   = "DSC-Service"
        }

        xDscWebService PSDSCPullServer
        {
            Ensure                  = "Present"
            EndpointName            = "PSDSCPullServer"
            Port                    = 8080
            PhysicalPath            = "$env:SystemDrive\inetpub\PSDSCPullServer"
            CertificateThumbPrint   = $certificateThumbPrint
            ModulePath              = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules"
            ConfigurationPath       = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration"
            State                   = "Started"
            DependsOn               = "[WindowsFeature]DSCServiceFeature"
            RegistrationKeyPath     = "$env:PROGRAMFILES\WindowsPowerShell\DscService"
            AcceptSelfSignedCertificates = $true
            Enable32BitAppOnWin64   = $false
            UseSecurityBestPractices = $false
        }

        File RegistrationKeyFile
        {
            Ensure          = 'Present'
            Type            = 'File'
            DestinationPath = "$env:ProgramFiles\WindowsPowerShell\DscService\RegistrationKeys.txt"
            Contents        = $RegistrationKey
        }
    }
}

Output:

PS C:\Users\administrator.FIFTYFIFTY\Desktop> Start-DscConfiguration -Path .\Sample_xDscWebServiceRegistration -Verbose -Wait -Force
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/Des
iredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer RRAS-1 with user sid S-1-5-21-4227124094-3448144961-1010909551-500.
VERBOSE: [RRAS-1]: LCM:  [ Start  Set      ]
VERBOSE: [RRAS-1]: LCM:  [ Start  Resource ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [RRAS-1]: LCM:  [ Start  Test     ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [RRAS-1]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' started: DSC-Service
VERBOSE: [RRAS-1]:                            [[WindowsFeature]DSCServiceFeature] The operation 'Get-WindowsFeature' succeeded: DSC-Service
VERBOSE: [RRAS-1]: LCM:  [ End    Test     ]  [[WindowsFeature]DSCServiceFeature]  in 0.2500 seconds.
VERBOSE: [RRAS-1]: LCM:  [ Skip   Set      ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [RRAS-1]: LCM:  [ End    Resource ]  [[WindowsFeature]DSCServiceFeature]
VERBOSE: [RRAS-1]: LCM:  [ Start  Resource ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [RRAS-1]: LCM:  [ Start  Test     ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check Ensure
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check Port
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check Binding
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check Physical Path property
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check State
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Get Full Path for Web.config file
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check DatabasePath
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check ModulePath
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check ConfigurationPath
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check RegistrationKeyPath
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Check AcceptSelfSignedCertificates
VERBOSE: [RRAS-1]: LCM:  [ End    Test     ]  [[xDSCWebService]PSDSCPullServer]  in 0.3130 seconds.
VERBOSE: [RRAS-1]: LCM:  [ Start  Set      ]  [[xDSCWebService]PSDSCPullServer]
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Create the IIS endpoint
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Setting up endpoint at - https://RRAS-1:8080/PSDSCPullServer.svc
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Verify that the certificate with the provided thumbprint exists in CERT:\LocalMachine\MY\
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Checking IIS requirements
VERBOSE: [RRAS-1]:                            [[xDSCWebService]PSDSCPullServer] Delete the App Pool if it exists
Cannot find path 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\IISSelfSignedCertModule.dll' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (C:\Windows\Syst...dCertModule.dll:) [], CimException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
    + PSComputerName        : localhost

VERBOSE: [RRAS-1]: LCM:  [ End    Set      ]  [[xDSCWebService]PSDSCPullServer]  in 3.2830 seconds.
The PowerShell DSC resource MSFT_xDSCWebService threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called 
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [RRAS-1]: LCM:  [ Start  Resource ]  [[File]RegistrationKeyFile]
VERBOSE: [RRAS-1]: LCM:  [ Start  Test     ]  [[File]RegistrationKeyFile]
VERBOSE: [RRAS-1]:                            [[File]RegistrationKeyFile] The destination object was found and no action is required.
VERBOSE: [RRAS-1]: LCM:  [ End    Test     ]  [[File]RegistrationKeyFile]  in 0.0000 seconds.
VERBOSE: [RRAS-1]: LCM:  [ Skip   Set      ]  [[File]RegistrationKeyFile]
VERBOSE: [RRAS-1]: LCM:  [ End    Resource ]  [[File]RegistrationKeyFile]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost

VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 3.952 seconds

[mhendric]

Adding a key piece of information that I forgot.

Here's the directory where this file should be on the problem server (Win 2012 R2 / PS 4).

PS C:\> dir 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer' -Recurse

    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d---s         1/28/2019   1:39 PM            en
d---s         1/28/2019   1:39 PM            en-US
-a---         1/28/2019   1:39 PM     303104 Devices.mdb
-a---          7/1/2013   9:49 AM        141 Global.asax
-a---         1/28/2019   1:39 PM      57856 Microsoft.Powershell.DesiredStateConfiguration.Service.dll
-a---          7/1/2013   9:49 AM       2389 PSDSCComplianceServer.config
-a---         6/21/2013  12:50 AM        268 PSDSCComplianceServer.mof
-a---         6/18/2013   5:25 AM        335 PSDSCComplianceServer.svc
-a---         6/18/2013   5:25 AM        390 PSDSCComplianceServer.xml
-a---        11/21/2014  12:07 AM       3343 PSDSCPullServer.config
-a---         6/21/2013  12:50 AM        525 PSDSCPullServer.mof
-a---         6/18/2013   5:25 AM        335 PSDSCPullServer.svc
-a---         6/18/2013   5:25 AM        502 PSDSCPullServer.xml
-a---         1/28/2019   1:39 PM       8704 PSDSCServerEvents.dll

    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         1/28/2019   1:39 PM       6144 Microsoft.Powershell.DesiredStateConfiguration.Service.resources.dll

    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en-US

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        11/20/2014  10:54 PM          2 PSDSCComplianceServer.mfl
-a---        11/20/2014  10:54 PM          2 PSDSCPullServer.mfl
-a---         1/28/2019   1:39 PM       6656 PSDSCServerEvents.dll.mui

Here's the same directory on the server that works (Win 2016 / PS 5.1):

PS C:\> dir 'C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer' -Recurse

    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d---s-        1/29/2019   4:34 PM                en
d---s-        1/29/2019   4:34 PM                en-US
-a----        1/29/2019   4:34 PM        1310720 Devices.mdb
-a----        7/16/2016   6:19 AM            141 Global.asax
-a----        1/29/2019   4:34 PM          11264 IISSelfSignedCertModule.dll
-a----        1/29/2019   4:34 PM         133632 Microsoft.Powershell.DesiredStateConfiguration.Service.dll
-a----        7/16/2016   6:19 AM           2389 PSDSCComplianceServer.config
-a----        7/16/2016   6:19 AM            268 PSDSCComplianceServer.mof
-a----        7/16/2016   6:19 AM            335 PSDSCComplianceServer.svc
-a----        7/16/2016   6:19 AM            390 PSDSCComplianceServer.xml
-a----        7/16/2016   6:19 AM           3170 PSDSCPullServer.config
-a----        1/29/2019   4:34 PM           4760 PSDSCPullServer.mof
-a----        7/16/2016   6:19 AM            335 PSDSCPullServer.svc
-a----        7/16/2016   6:19 AM           1194 PSDSCPullServer.xml
-a----        1/29/2019   4:34 PM          14336 PSDSCServerEvents.dll

    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/29/2019   4:34 PM           9216 Microsoft.Powershell.DesiredStateConfiguration.Service.resources.dll

    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PullServer\en-US

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         2/3/2018   2:29 PM              2 PSDSCComplianceServer.mfl
-a----         2/3/2018   2:29 PM              2 PSDSCPullServer.mfl
-a----        1/29/2019   4:34 PM          13824 PSDSCServerEvents.dll.mui

[mhendric]

@tmeckel , you're currently working some IISSelfSignedCertModule related Issues. Do you know anything about where this DLL comes from, and if we should expect it on a machine with only PS4?

[tmeckel]

@mhendric I can only say that you have to install the windows featre DSC-Service what you obviously did in your DSC Configuration, so it should be definitly present on the computer.

Aside this, I discovered some deficiencies with that IIS module, while I was working on PR #507 and how it's provided (Windows Feature) and how it's activated in IIS using MSFT_xDSCWebService. I'll describe my findings when I'm done with refactoring the code and the Unit Tests for MSFT_xDSCWebService in PR #507

[tmeckel]

Okay I made a quick check on a VM. Seems to me we do have an issue here because the DLL is not installed by the DSC-Service feature. I would propose we remove the code here in the xPSDesiredStateConfiguration, because it seems to me that the code has been erroneously copied over from PSDscResources. I've to admit that I didn't check the Git Log though :-D Oh and removing the code would make my PR 507 obsolete LOL

[mhendric]

Thanks @tmeckel . Good to know I'm not crazy (or at least not the owner of bad virtual machines). Sounds like this is a bug to me then. I guess we just need to figure out what to do about it. Do we update the module to not check for IISSelfSignedCertModule.dll, and if so, what are the implications of that (there had to have been a good reason that the check was added in the first place)?

And this definitely makes me wonder what else is broken in this module for PowerShell 4...

[tmeckel]

@mhendric As I already said, while I was working on this module here I discovered not only issues how this particular DLL is handled but I also commented on #468 about that I discovered some bugs how the X.509 certificate for the pull/compliance service is handled. To me this module seems to have multiple issues that has to be sorted.

[tmeckel]

@mhendric just discovered that this module is only relevant for the compliance server https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L754 interessttingly enough look at this comment multiple lines above this https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L689 and what comes on top you'll find no sign of the compliance server feature in Set-TargetResource https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L175 or Get-TargetResource https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/01383b317abae8de69a1c093ddb51b2a064f8296/DSCResources/MSFT_xDSCWebService/MSFT_xDSCWebService.psm1#L23

https://github.com/PowerShell/xPSDesiredStateConfiguration/search?q=IsComplianceServer&unscoped_q=IsComplianceServer

So TBH I don't really know in what condition this module really is!

[tmeckel]

Oh and in contrast to my statement in https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/511#issuecomment-459969107 that MSFT_xDSCWebService.psm1 has been "erroneously" copied over from PSDscResources I discovered that xPSDesiredStateConfiguration is the only DSC Resource which contains support for setting up a local pull server. This implies that xPSDesiredStateConfiguration wasn't only created for Powershell 4 support. Quite confusing situation here with these two DSC Resources

[mhendric]

@tmeckel , thanks for all the research on this! This definitely is a confusing situation. I think this one probably needs to be discussed during the next community call, especially as it relates to #522. @PlagueHO , I think you have a list of items to discuss in the next call. Can you track this one?

[tmeckel]

@mhendric how do we proceed here? From my point of view we can't leave the code as is because this would create errors on Windows 2012 servers as you already noticed. On the other hand, how likely is it that people deploy a Pull Server on such an old infrastructure? But this is the same discussion we already had about supporting PowerShell 4.

[mhendric]

Hey @tmeckel . So... I'm still wondering why this module was made to be a requirement at some point. At one point in the xPSDesiredStateConfiguration lifetime, it was definitely possible to deploy a pull server on Windows 2012 R2 and PS4, which implies IISSelfSignedCertModule wasn't always a requirement. Maybe we can find which PR introduced this and then look at the comments. Perhaps it isn't really necessary for PS4 after all. Or maybe the Compliance server (you referenced above) doesn't support PS4. Also, if we can find the last build that this worked on PS4 in, we could potentially just add a version check for PS4 when this code is invoked, and say that this code is no longer supported on PS4, use ### build instead.

At least according to this article, DSC Pull Server is only supported on PS5 or higher (although there's a reference in the same article to WMF4 databases, so I don't know how true this really is). But if the PowerShell team doesn't support the Pull Server on PS4 any more, I'm not sure why we should continue supporting it in this module.

Adding @mgreenegit in case he knows some history on this.

[tmeckel]

@mhendric the situation around the Pull Server is unsatisfying in many ways. First we have this issue here where we don't know what's supported on what platform and why code has been introduced. Secondly the PowerShell team decided to stop adding new features to the local Pull Server implementation in favor for Azure Automation DSC. The decision perfectly fits into the strategy of Microsoft and is thus understandable because you've to decide what things to follow with limited resources. Or you look at Microsoft's strategy to compel people to move on premises resources to Azure when you analyze the pricing model behind Azure Automation DSC, where you can add on premises servers but you've to pay at least $5 monthly for every server, where in contrast Azure VMs are at no charge.

My personal biggest issue around this decision is that the PowerShell team (or whoever wrote that section in the documentation) refers to two opensource projects on Github, as a replacement for an on premises installation, which are actually dead:

• https://docs.microsoft.com/en-us/powershell/dsc/pull-server/pullserver#community-solutions-for-pull-service
• https://github.com/PowerShellOrg/tug/issues/93

That leads me to the more or less sarcastic question: why should we put much effort in this DSC Resource anymore? Okay just kidding. But nevertheless we should keep in mind that when we work on xDSCWebService the technology is in fact deprecated or to say it more clearly: dead.

[mhendric]

Interesting observations @tmeckel . I don't think this technology is dead, but it definitely appears to be deprecated. That's stated in the very first paragraph of the document we linked. Which does beg the question, how much effort do we want to spend on something Microsoft plans to cut support for? Perhaps this is another community call discussion. Tagging @PlagueHO and @johlju for thoughts in the meantime.

I do still see value for many of the other resources in this module, especially since this module can accept breaking changes and PSDSCResources can't. But I'm willing to have a hard conversation around the module as a whole.

[tmeckel]

@mhendric you misunderstood in some way. When I said we must outweigh the efforts we put "... in this DSC Resource ..." I only meant xDSCWebService not the complete DSC module. The DSC module as a whole will and definitely can provide much help for people using DSC! To make it clear: I doubt we should put much effort in the Pull Server thing here on the long run because Microsoft abandoned supporting on premises installation in favor of Azure Automation DSC.

[mhendric]

Hey @tmeckel , no problem. A related comment on this is that we should probably test if xDSCWebService works on Windows Server 2019. If it does, then DSC Pull Server is probably not going away anytime soon. We should probably also start testing the Module as a whole on 2019 to see what works and what doesn't.