Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ProxySettings: settings not working on Windows Server Core #423

Closed
fullenw1 opened this issue Oct 21, 2019 · 10 comments · Fixed by #494
Closed

ProxySettings: settings not working on Windows Server Core #423

fullenw1 opened this issue Oct 21, 2019 · 10 comments · Fixed by #494
Assignees
Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.

Comments

@fullenw1
Copy link

Details of the scenario you tried and the problem that is occurring

I apply the same configuration on Windows 2016 GUI, Windows 2016 Core, Windows 2019 GUI and Windows 2019 Core.

DSC modules like cChoco are working fine as soon as the proxy configuration has been set set via the ProxySettings resource of the NetworkingDsc module, except for Core servers.

Suggested solution to the issue

Currently the ProxySettings resource is applying proxy settings on this registry key: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

It does also apply successfully these settings on the same key on Core servers, though it has no effect.

However, when I manually apply the same values on the system account, it works fine on Core servers too after a computer restart or a new DSC pull session.
Here is the key where I apply the configuration:
registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

The proxy configuration should be added to this registry key too, in order to make it functioning on Core servers and not only GUI servers.

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

OsName : Microsoft Windows Server 2016 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 14393.1794.amd64fre.rs1_release.171008-1615
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

PSVersion 5.1.17763.316
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.316
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

PSVersion 5.1.14393.1884
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.1884
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

7.4.0.0

@PlagueHO PlagueHO added bug The issue is a bug. help wanted The issue is up for grabs for anyone in the community. labels Oct 22, 2019
@PlagueHO
Copy link
Member

Thanks for raising this @fullenw1 - great detection work BTW. Looks like it should be an easy fix.

@ausafonly
Copy link

I am also facing this issue and desperately need a solution for this.

@ksl28
Copy link

ksl28 commented Apr 23, 2021

Same issue here! We have an new environment based on Windows Server core ready to enter production, but the Proxy settings is an showstopper.

@PlagueHO
Copy link
Member

PlagueHO commented Apr 25, 2021

Apologies for not getting to this sooner.

For reference, S-1-5-18 is Local System account. As the LCM runs under Local System, we should be OK setting this in the resource.

There are a few different ways of addressing this:

  1. Add a parameter to the resource to allow specify which user account to set the proxy settings on. An option for specifying Local Machine would also be required.
  2. Auto detect if the resource is running on Server Core and set the registry path appropriately.
  3. Add a parameter to the resource that allows specifying Local Machine or Current User. Would need to determine if the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections works instead of S-1-5-18?
  4. Allow the user to specify the root key (e.g. HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USERS\S-1-5-18).
  5. Set the keys on both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER at the same time. This adds more complexity to the resource.

Option 1, 3 & 4 would all be breaking changes.

This is also something we can't easily add automated integration tests for in the CI pipeline as we'd need a proxy server. It is possible to create a local proxy server on the CI and validate against that, but that would require more time than I have at the moment.

Option 1 would be quite flexible but would require converting the username to a SID. Is it even required with PsDscRunAsCredential and using HKCU?
Option 2 is the most user friendly, but makes assumptions about this being Server Core behavior rather than related to the LCM context.
Option 3 is cleaner but assumes HKCU works.
Option 4 has the most flexibility, but it isn't very user friendly. Specifying SIDs/Registry base paths is problematic.
Option 5 adds more complexity to the resource and also makes assumptions that HKCU will work. But will be simpler for the user.

If someone can confirm if the HKCU key works (as opposed to specifying the specific HKU) then the change will be simpler. I'm reluctant to hard code the Local System into the resource.

Also, using HKU rather than HKCU will require a lot more rewriting as PowerShell PSDrive does not support HKU.

What I may do to start with is make some supporting changes to make this change easier to do later on.

@PlagueHO PlagueHO self-assigned this Apr 28, 2021
@PlagueHO PlagueHO added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Apr 28, 2021
@PlagueHO
Copy link
Member

I've submitted a draft PR to begin work on this.

I'm keen to hear opinions on the most appropriate solution from above before finalizing the changes.

@PlagueHO
Copy link
Member

PlagueHO commented May 5, 2021

As there hasn't been any further discussion, I'll implement Option 3 and release as a preview:

Add a parameter to the resource that allows specifying Local Machine or Current User. Would need to determine if the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections works instead of S-1-5-18?

I'll aim to complete this this weekend.

@PlagueHO
Copy link
Member

I've run into an issue that I need more community feedback on:
Right now the resource is an IsSingleInstance resource. This means that in a config it will never be possible to apply the config to both the machine and the user account.

I can fix this by making a Scope parameter the Key for the resource, but this will be a significant breaking change for the resource as the parameter would be required to be set. E.g. the resource config MUST look like:

        ProxySettings AutoDetectProxy
        {
            Scope                  = 'LocalMachine'
            Ensure                  = 'Present'
            EnableAutoDetection     = $true
            EnableAutoConfiguration = $false
            EnableManualProxy       = $false
        }

or

        ProxySettings AutoDetectProxy
        {
            Scope                  = 'CurrentUser'
            Ensure                  = 'Present'
            EnableAutoDetection     = $true
            EnableAutoConfiguration = $false
            EnableManualProxy       = $false
        }

My gut feeling is that this is fine (but a breaking change). Because regardless the change will result in a breaking change. But as I don't actually use this resource myself I'd like to hear from people who do.

If I don't get any feedback in the next 2 weeks I'll push a change that makes the MOF:

[ClassVersion("1.0.0"), FriendlyName("ProxySettings")]
class DSC_ProxySettings : OMI_BaseResource
{
    [Key, Description("Specifies if the proxy settings should be set for the LocalMachine or for the CurrentUser. Defaults to 'LocalMachine'."), ValueMap{"LocalMachine","CurrentUser"}, Values{"LocalMachine","CurrentUser"}] String Scope;
    [Write, Description("Specifies if proxy settings should be set. Defaults to 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
    [Write, Description("Defines if the proxy settings should be configured for default connections, legacy connections or all connections. Defaults to 'All'."), ValueMap{"All","Default","Legacy"}, Values{"All","Default","Legacy"}] String ConnectionType;
    [Write, Description("Enable automatic detection of the proxy settings. Defaults to 'False'.")] Boolean EnableAutoDetection;
    [Write, Description("Use automatic configuration script for specifying proxy settings. Defaults to 'False'.")] Boolean EnableAutoConfiguration;
    [Write, Description("Use manual proxy server settings. Defaults to 'False'.")] Boolean EnableManualProxy;
    [Write, Description("The URL of the automatic configuration script to specify the proxy settings. Should be specified if 'EnableAutoConfiguration' is 'True'.")] String AutoConfigURL;
    [Write, Description("The address and port of the manual proxy server to use. Should be specified if 'EnableManualProxy' is 'True'.")] String ProxyServer;
    [Write, Description("Bypass proxy server for addresses starting with addresses in this list.")] String ProxyServerExceptions[];
    [Write, Description("Bypass proxy server for local addresses. Defaults to 'False'.")] Boolean ProxyServerBypassLocal;
};

@ausafonly
Copy link

ausafonly commented May 23, 2021 via email

@ausafonly
Copy link

ausafonly commented May 28, 2021 via email

@PlagueHO
Copy link
Member

Hi @ausafonly - I've actually completed the change, just need to get it reviewed before it can be merged: #494

Unfortunately we don't have a large number of reviewers and they're all super busy. I'll try and find out when someone might be free to do this. The community is always looking for more contributors and reviewers though 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug The issue is a bug. in progress The issue is being actively worked on by someone.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants