I need to configure passwords to be fetched from Azure KeyVault in Azure Web App connection string. Can someone explain how to configure it ?
Thanks in advance !
I tried to get the passwords from key vault in Application settings and it worked fine , but couldn't able to integrate it in connection string.
Create an Azure KeyVault.
Create Secret. Copy the Secret Identifier of the Secret (this has to be used in Azure Configuration Connection String).
Provide necessary grants by using Access policies.
In Azure App Service => Configuration => Application Settings => Connection Strings, add the new Connection string setting.
For .NET Core App, the key name has to be MyNewConn.
For .NET Framework App, the name in the Azure App Connection String must be same as the key name in Local Configuration.
Thanks #Anand Sowmithiran for the Comment.
The value of the Connection string has to be #Microsoft.KeyVault(SecretUri=Secret Identifier).
Replace the Secret Identifier value with the value which we have copied from the KeyVault Secret (In Step 1).
For .NET Core Web App
appsettings.json
"ConnectionStrings": {
"MyNewConn": "LocalValue"
}
string connectionString = configuration.GetConnectionString("MyNewConn");
For .NET Framework Web App
In Web.config file, you must have the below settings
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=*****" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="AzureKeyVault" vaultName="KeyVaultName" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral" vaultUri="https://YourKeyVaultName.vault.azure.net" />
</builders>
</configBuilders>
<connectionStrings>
<add name="MyNewConn" connectionString="Retrieves the value from Azure App Service Connection String" providerName="System.Data.SqlClient" />
</connectionStrings>
var conn = ConfigurationManager.ConnectionStrings["MyNewConn"];
Update
In Azure Key Vault, the step where we create the Secret, add the Secret value as the connection string.
.
Rest other steps are same.
Related
We have a simple Azure App Service app and part of that app accesses a SharePoint doc library to upload files. This has worked for years but recently stopped working. We generated a new clientid and secret thinking that was the problem - still no luck. We have been working with Microsoft for 3 weeks on the problem and they have been useless - they don't even know what a doc library is most the time and all they do is "take screenshots and will get back."
I can get a token and use it to pull resources in Postman just fine.
The following is the code in web.config:
`<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:ClientId" value="spclientid" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:ClientSecret" value="spclientsecret" />
<add key="ida:Domain" value="ourdomain.com" />
<add key="ida:TenantId" value="tenantid" />
<add key="ida:PostLogoutRedirectUri"
value="https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession/" />
</appSettings>`
Errors:1
Error :2
Error: 3
At our rope's end with this one, any ideas?
Thanks in advance.
• You must use ‘AllowAppOnlyPolicy=true’ in your manifest file for the registered Azure AD sharepoint app to acquire token from the registered application in Azure AD on behalf of the service principal created through your ‘App Service’. Also, you can grant the required permissions for accessing the sharepoint online website through your ‘App service’ as shown below in the snapshot through the Azure AD app registration portal instead of the ‘App manifest’ file: -
Thus, when you are providing the correct permissions to the ‘Sharepoint’ portal through this ‘Service Principal’ in Azure AD for OAuth 2.0 as well as configuring the ‘Authentication’ token and protocols too correctly, the Azure App Service should be able to access the Sharepoint doc library to upload files.
• Finally, please once again check the correct value of the secret ID and its value that is being used to connect to the sharepoint website on behalf of the SP app in Azure AD. Also, do check the correct tenant ID, domain and AADInstance of the registered SP for your app service, the details of which you have mentioned in the ‘App settings.json’ file of the code.
For more details and clarification on this, kindly refer to the below links explaining the issues regarding the ‘Sharepoint’ token helper issues and CSOM platform issues regarding various browsers that are used to try to access the same: -
https://github.com/SharePoint/sp-dev-docs/issues/6955
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient
I have an asp.net azure web api site, say myapi.azuresites.net, and my custom domain is myapi.mycompany.net.
In my web api, I use owin middleware to validate incoming token
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = Constants.AzureActiveDirectoryTenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
// These values will be checked against what is received in the access token.
ValidAudiences = Constants.AzureActiveDirectoryValidAudiences
},
Provider = new OAuthBearerAuthenticationProviderEx()
});
I registered an app under azure AD and add some client secret in.
From postman, I can get an oauth2 token from Azure AD with the App id and the client secret.
I included this token in the header and sends to my azure web api.
My code uses owin middleware to validate the token
If I send the request to myapi.mycompany.net, the token validation works.
If I send the request to myapi.azuresites.net, the token validation fails.
I can't really figure out why the token validation fails when calling azure site directly. If I grab the azure site's web.config down to my local machine and it works there as well.
I suspected that my AD app didn't have the right redirect URLs, but verified that and can't see obvious issue.
So is there a way to log some information on why authentication fails? As it is a remote azure site, can I trap this failure as exception and throw some out?
Although not sure why my AD authentication works now, I did find a way to log owin failures for azure site.
Basically this will log owin information
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="d:\home\logfiles\Katana.trace.log"
traceOutputOptions="ProcessId, DateTime"/>
</sharedListeners>
<switches>
<add name="Microsoft.Owin" value="Verbose"/>
</switches>
</system.diagnostics>
I made an azure web app. When I go to my web app URL it says the app is up and running, https://nameofmyapp.azurewebsites.net/.
When I try to go send a request for the web API by going to https://nameofmyapp.azurewebsites.net/api/Menus to get JSON text I receive this error
{
"Message": "An error has occurred.",
"ExceptionMessage": "The connection string 'PetSchedulerDbContext' in the application's configuration file does not contain the required providerName attribute.\"",
"ExceptionType": "System.InvalidOperationException",
"StackTrace": " at System.Data.Entity.Internal.LazyInternalConnection.InitializeFromConnectionStringSetting(ConnectionStringSettings appConfigConnection)\r\n
Here is my connection string:
<connectionStrings>
<add name="PetschedulerDbContext" connectionString="Server=tcp:petschedulerserver.database.windows.net,1433;Initial Catalog=petschedulerdb;Persist Security Info=False;User ID=Julia;Password=Network5!;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;" providerName="System.Data.SqlClient" />
</connectionStrings>
I have tried changing the provider name to
providerName="System.Data.EntityClient"
with the same result. I don't understand what the required provider name would be? Please let me know if you need more information.
Here are my cents for this issue:
Prerequisite: Please make sure you have the same set of connection string value in the Azure portal Web app configuration setting as well.
If you are using designed based approach, then you need to define the connections string that the designer generates and which looks something like this:
<add name="Northwind_Entities"
connectionString="metadata=res://*/Northwind.csdl|
res://*/Northwind.ssdl|
res://*/Northwind.msl;
provider=System.Data.SqlClient;
provider connection string=
"Data Source=.\sqlexpress;
Initial Catalog=Northwind;
Integrated Security=True;
MultipleActiveResultSets=True""
providerName="System.Data.EntityClient"/>
If you're not using the designer (if you don't have an .edmx file), the connection string should look like this:
<add name="ConnectionStringName" providerName="System.Data.SqlClient" connectionString="Data Source=ServerName;Initial Catalog=DatabaseName;Integrated Security=False;User Id=userid;Password=password;MultipleActiveResultSets=True" />
Additional reference:
https://learn.microsoft.com/en-us/ef/ef6/fundamentals/configuring/connection-strings?redirectedfrom=MSDN
https://forums.asp.net/t/1858681.aspx?The+connection+string+EFDbContext+in+the+application+s+configuration+file+does+not+contain+the+required+providerName+attribute+
Hope it helps.
For an Azure Service Principal, we have below keys in config file
<add key="SubscriptionId" value="" />
<add key="ClientId" value="" />
<add key="ClientSecret" value="" />
<add key="TenantId" value="" />
Is there any azure key vault like service available, where we can securely keep these keys and use it based on demand?
The client secret is more important than the rest, which needs to be secure. Unfortunately, it is the gateway to call to your KeyVault even if you store it to KeyVault. There is not the only way to authenticate Azure AD with client secret. Instead of client secret, you can use your certificate when creating a key. Uploading that certificate will give you a thumbprint. You then need to upload your private key (aka PEM or PFX) somewhere in Azure, commonly in application or Azure App Service (ref https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load). Your application code just needs to read through the certificate (of course you need to set password for your certificate) and if thumbprint is matched, you are authorized by Azure AD.
Other sensitive information such as storage access key, database connection string, Redis cache key, VM password or your corporate certificate can be stored in KeyVault.
If you don't like the complex process to get access token, have a look at Managed Service Identity which lets an Azure service become a service principal itself. There is not a need for client app registration and client secret. MSI is currently in preview stage and available to some services.
I just start to learn new Office 365 API. I'm also not so deep understand server-side programming. I have VS2013 and all pre-requisites as pointed in the link bellow. Some example with Windows Desktop App worked. But when I get example https://code.msdn.microsoft.com/Office-365-APIs-Get-d75d1c8a - it fails during setting up in Service Manager after Sign-In to O365.
The error message - "Unsupported or invalid query filter clause specified for property '' appId of resource 'Service Principal' ". This message appear instead permissions in Service Manager. When I press OK - "Sign In" point in Service Manager still there - Authentication Failed.
Please help!
You need to remove the existing client id and settings from app.config (or web.config in web project). When I removed the following from App.config in the Office365Api.Demo project, I was able to register the app in my own Azure AD.
<add key="ida:ClientId" value="[put here your ClientID]" />
<add key="ida:RedirectUri" value="http://localhost/eb2c041088c22f67fecaffda29528308" />
<add key="ida:AuthorizationUri" value="https://login.windows.net/" />