I recently tried to set up an Azure Virtual Desktop Environment in a customer project. In the process, I encountered the following deployment error:
Deployment Error Output
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'Microsoft.PowerShell.DSC'. Error message: \"The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_11-22-2021.zip after 17 attempts: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..\r\nMore information about the failure can be found in the logs located under 'C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Powershell.DSC\\2.83.2.0' on the VM.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot "
}
]
}What does the error mean?
The error describes a state in which an encrypted connection (https) is supposed to be established between the requestor (client) and the peer (server). However, this connection is not established because the server rejects the request, stating that it does not trust the request or the requestor.
What could be the reason for this? In most cases, the problem is that old SSL/TLS versions are used to establish the connection and the server does not accept them. Another possible reason is that the certificate for establishing a secure connection was exchanged on the way to the server.
In our scenario, the deployment failed because the PowerShell DSC Extension could not download its sources from Azure Storage xx. When establishing or attempting to connect, we discovered that the AVD Session Host’s traffic was being inspected by Zscaler SSL Inspection.
What is SSL Inspection?
SSL Inspection is a service that can break encrypted data packets and inspect them for malware, etc. Some services, such as many Microsoft online services, reject SSL Inspection for security reasons, because when the data packet is re-encrypted, not the original certificate is used, but in this case the certificate from Zscaler. This means that Microsoft can no longer guarantee the integrity of the data packet.
How did we solve the problem?
After setting up an exception in SSL Inspection in Zscaler for the storage endpoint, we re-run the deployment.
PowerShell DSC has been successfully configured on the Azure Virtual Desktop Session Host.
0 Comments