Agent/EventHub issues

PowerShell Universal
1 
Product: PowerShell Universal
Version: 5.5.4

I’m trying to replicate the example from the video at PowerShell Universal v5 - PowerShell Universal Agents

I have installed the Agent on the same machine as I have the requirement to use gMSA for everything but with different users, so I figured that using the agent is actually the best way to achieve that.

I am using HTTPS with a valid certificate (not self-signed!) for the PSU Server - this is my agent.json

{
    "Connections": [
        {
            "Url": "https://myPSUServer.example.com",
            "Hub": "Agent-Dns",
            "AppToken": "...",
        }
    ],
	"Universal": {
		"Agent": {
		  "Tags": [ "DNS" ]
		}
    }
}

So far I have succeeded in creating an Event Hub and the agent seems to be connected to the PSU Server.

However, when I try to run my EventHub.ps1:

Invoke-PSUCommand -Hub "Agent-Dns" -Command "Out-File" -Parameters @{
    FilePath = "D:\work\test.txt"
    InputObject = "Hello, World!"
}

using “Run Script” in the Integrated environment, I get an error:

The SSL connection could not be established, see inner exception.
at <ScriptBlock>, D:\UniversalAutomation\Repository\DevTest\70889\EventHub.ps1: line 1
at <ScriptBlock>, <No file>: line 1

I tried changing the connection to HTTP only using -ComputerName "http://myPSUServer", but here I also get an error:

Unauthenticated. Specify an app token, credentials, use default credentials or enable permissive security model.
at <ScriptBlock>, D:\UniversalAutomation\Repository\DevTest\70889\EventHub.ps1: line 1
at <ScriptBlock>, <No file>: line 1

I also created a Token, stored it as secret variable and tried passing it via the -AppToken parameter, but the result unfortunately is the same (I have verified that the token is actually read from the variable).

I have added

  "Api": {
	  "SecurityModel": "Permissive"
  }

to my appsettings.json, however that does not seem to have any effect.

I am thinking that there must be some major difference in how the Verb-PSUSomething commands behave in my installation as in all the examples I find there is no real need to specify the ComputerName and authentication parameters?

2

I haven’t ever watched a video about setting up an Event Hub, but here is some pieces of my own setup so you can see what’s different.

Rather than sending Invoke-PSUCommand (which is an alias for Send-PSUEvent, for the record), I’m selecting whichever Event Hub agent is actively connected, which also verifies that there actually is at least 1 agent actively connected.

In the script on the PSU server that uses the Event Hub agent I have:

$EHConnection = @(Get-PSUEventHubConnection -AppToken $PSUInternalToken -Hub $PSUEventHubName -Active)
  if ($EHConnection.count -lt 1) {
    Write-Error "There are no active agents for the $($PSUEventHubName) event hub."
    return
  }
  else {
    $WebRequest = Send-PSUEvent -AppToken $PSUInternalToken -Hub $PSUEventHubName -ConnectionID $EHConnection.ConnectionID -Command "Invoke-WebRequest" -Parameters @{
      "SkipCertificateCheck" = $true
      "Uri" = "https://<redacted>"
    }

And, in my agent.json file I have:

{
    "Connections": [
        {
            "Url": "<PSU FQDN>",
            "Hub": "<Event Hub Name>",
            "AppToken": "<App Token>",
	    "ScriptPath": "script.ps1"
        }
    ]
}

Aside from the video you linked, there’s also written documentation at Event Hubs | PowerShell Universal which may help you some more.

3

Thank you @Jesse.Peden for your reply, however the issue with the SSL error also happens when using Get-PSUEventHubConnection. I see that you have "SkipCertificateCheck" = $true for your Send-PSUEvent, however this should not be necessary for my setup as I have a valid certificate (and you have no such parameter specified when you call Get-PSUEventHubConnection?).
Interestingly, Get-PSUEventHubConnection, as all PSU-Commandlets, do work when I just open a PowerShell 7 console window and use -UseDefaultCredentials.

But: Send-PSUEventdoes still not work this way :frowning:

PS > $EHConnection = @(Get-PSUEventHubConnection -Hub "Agent-Dns" -Active -UseDefaultCredentials)
PS > $EHConnection

Id               : 3
UserName         : PSU-Agent-Dns
RemoteIpAddress  : ::ffff:98.765.43.21
RemoteComputer   : myPSUServer
EventHub         : Agent-Dns
Computer         : myPSUServer
Connected        : 10.06.2025 09:13:37
Disconnected     :
ConnectionId     : rJK_7SmDvUBF-f41cz7Seg
RemoteUserName   : myGmsa$
RemoteDomainName : myDomain
Version          : 5.5.4

PS > $WebRequest = Send-PSUEvent -Hub "Agent-Dns"  -ConnectionID $EHConnection.ConnectionID -Command "Invoke-WebRequest" -UseDefaultCredentials -Parameters @{
       "SkipCertificateCheck" = $true
       "Uri" = "https://myPSUServer"
     }
Send-PSUEvent: Status(StatusCode="Unknown", Detail="Exception was thrown by handler. IOException: Connection 'rJK_7SmDvUBF-f41cz7Seg' does not exist.")
4

SkipCertificateCheck was needed in my setup as the command I’m sending through the agent is telling it to reach out to a website that uses a self-signed cert. SkipCertificateCheck was not for the PSU-to-agent communication itself.

The way that I’m using Event Hubs is slightly different than what you’re doing, which is that I want the output from the agent once it’s finished with doing its task so that other parts of the script can take that output and do further tasks. What you’re doing is sending it a command without expecting the output back on the PSU server.

I would try going back to using an App Token instead of UseDefaultCredentials to see if it makes a difference.