set-AzureRmVMCustomScriptExtension - Failed


So, you are working with azure powershell and customs scrips and are facing with this error:



You already played with storage account keys, verified that the file is accessible using a web browser, tried loading the script using the azure portal directly and nothing seems to work. Well, the next thing you need to do is take a look at the logs in the virtual machine.

In theory every machine deployed in Azure contains a VM agent that is in charge of the interaction between azure and the VM. There are 2 locations no need to take a look at when debugging problems with Azure and custom scripts.  C:\WindowsAzure and C:\Packages.

In order to get more data about the error, log into the VM you need to install the custom script and open the file:  C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\1.9\CustomScriptHandler.log In that location you will get additional information about the problem. In my case I found this:

[5400+00000001] [03/20/2018 16:02:43.56] [FATAL] Failed to download all specified files. Exiting. Exception: Microsoft.WindowsAzure.Storage.StorageException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)

The reason seems to be that the server has TLS 1.0 disabled which in my case it is true. So there are 2 options, enable TLS 1.0 which is not a very good idea since it is now considered insecure, and the other option is to install Windows Management Framework (WMF) 5.1.

According to the link below, the VM extensions for Windows Server 2016 are able to work with TLS 1.2, but for prior versions of the Server operating system we need to update WMF.
https://docs.microsoft.com/en-us/powershell/dsc/azuredscexthistory

To find out the version of WMF in your server, open a powershell as administrator and execute: $PSVersionTable.PSVersion



In my case I need to upgrade the version of WMF, there is already a windows update for that identified as kb3191564.

Download the file that corresponds to your system and execute the installation.






After installing and rebooting your server, run the powershell command again to verify the WMF version:





Once you have WMF 5.1 in your system, try installing a custom script, it should work with TLS 1.2 now.

If you configured your server to disable TLS 1.0 and 1.1 for outbound connections, there is an extra step you need to execute. By fault PowerShell (including WMF 5.1) uses TLS 1.0 for outbound connections. To indicate powershell to use TLS 1.2 it is required to add the following line at the top of your script:

 [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; 

In my case I need to set TLS as default for all PowerShell outbound connections, one way to do it is adding that line to the PowerShell profile $profile.allusersallhosts:

  •  Open a PowerShell as administrator and enter the command notepad $profile.allusersallhosts
  •  
  • If notepad asks to create a new file say yes, you are creating a new file named: C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
  • Enter the following in the notepad:
    •  [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; 
  •  
  •  Save and close the file.
  • Back in the powershell run the following commands:
    •  Set-ExecutionPolicy RemoteSigned
    • .  $profile.allusersallhost
  •  
  • exit the command and load a new instance of PowerShell
 Now your system is configured to use TLS 1.2 for PowerShell outbound connections.


References:
 





Comments

Post a Comment