New Azure AD Connect Cloud agent status inactive - azure

Installed 2 different member servers with Azure AD Connect cloud agents both have an inactive status.
I confirmed;
Both installs complete successfully
Proxy settings are off
Since the Azure port test URL is no longer working I manually tested several of the URLs listed on https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud, they were working
Here is a snippet from the local/server logs;
AADConnectProvisioningAgent.exe Error: 0 : Service bootstrap request failed with exception: 'System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at https://[UUID].syncfabric.bootstrap.his.msappproxy.net/ConnectorBootstrap that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStreamAsyncResult.CompleteGetRequestStream(IAsyncResult result)
When it says "the remote server returned an error: 407 proxy authentication", is that MS end or our end?

After trying numerous updates to the machine.config file, as with most MS products there are 100 different options to "try" to get the proxy settings right. None worked even after restarting the service.
We eventually gave up on that and manually set the proxy itself to allow the Azrue AD agent computer/IP to skip/bypass authentication and it connected successfully.

Related

Azure Devops Service Hooks (Webhook) fails with The underlying connection was closed: An unexpected error occurred on a send

I've configured a service hook -> webhook that invokes a remote HTTPS URL with a valid certificate.
When testing the webhook I get this error:
There was an error sending the request, so there was no response.
Error(s):
An error occurred while sending the request.
The underlying connection was closed: An unexpected error occurred on a send.
You may not call this function on a different context than the original request
Invoking the same URL with curl everything is fine.
EDIT: Reading answers with a similar error I thought the problem could be related to the TLS version used by Azure Devops.
My remote service was enabled for TLS 1.3 and 1.2 and failed with <= 1.1.
I configured it to allow TLS 1.0 and 1.1 as well and I keep getting the same error.
I had checked "Accept untrusted SSL certificates". Unchecking it fixed the problem.

Azure function using hybrid connection

I have an azure function which is supposed to call an on-prem API. The application works fine in my dev environment. But there is a problem when I deployed it to Azure. I have already set up a hybrid connection for my Azure function to connect to the on-prem server. But when I run the code to get a response from on-prem API I get a 204 error. I believe there is a problem with the connection to on-prem from Azure. Could you review my setting and advice if anything is wrong?
My Code:
var request = new RestRequest("**https://onPremServer.internal.myDomain.com:534**/api/token", Method.Post);
204 status code its not an Error. its successfully request and response.
200-206 status code its show successfully. and 204 status code show its not content return by the API. Its Api return content. You can change content from API Side.
The 204 (No Content) status code indicates that the server has
successfully fulfilled the request and that there is no additional
content to send in the response payload body.
204 status No Content by Apihandyman site.
Azure Functions Using Hybrid Connections by stefanroth.

Authorization failed when trying to log into AWS using SSO using internal Azure Platform

I am trying to use an AWS single sign on script from my company to log into aws using the internal Azure Platform. When trying to log into the platform using SSO, I receive the following error messages:
Logging in to Azure AD...
Please enter your username(email address): test#company.com
Please enter your password: ********
Login failed: Authorization failed, please activate company's VPN.
The logs of the sso script show me this information:
2022-07-11 11:57:42,042 auth_with_adfs 207 | DEBUG | loginMessage: Authorization failed
2022-07-11 11:57:42,042 log_in_to_aad 174 | ERROR Login failed: Authorization failed, please activate your company's VPN.
I have activated the VPN so that is not the issue.
By looking at the internals of the files that raise those errors I found out that during the failed login process the login page for the Microsoft Office 365 Identity Platform is returned.
The login webpage tells me that I receive the following error when logging in with my credentials:
Error details: MSIS7012: An error occurred while processing the request. Contact your administrator
My POST request seems to be redirected with a 302 code and GET the login page with a 200 OK response.
So I can tell that I get stuck during the login process and according to the error message it is an authorization issue. My credentials are correct so I am wondering what needs to be changed here to get correct access? Is there some permissions missing I should have a closer look at? Do I need to make changes in AzureAD somehow?
Thanks in advance for looking into this, I know the information is sparse but I hope it is enough.

Where to find the Azure AD Auth Failure logs?

I have problem authenticating with Azure AD occasionally. I get the error that shown at the bottom of the page.
I set the following
IdentityModelEventSource.ShowPII = true;
to see the logs to find out what configuration that I'm missing. Where can I see the logs?
I'm running the WebAPI locally on my machine and the URL is https://localhost:16135/weatherforecast. I get the token via POSTMAN which is succeeding but using that token to execute the WebAPI is failing with the error.
This is the error that I see:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
---> System.Net.Http.HttpRequestException: No such host is known.
---> System.Net.Sockets.SocketException (11001): No such host is known.
The error says "No such host in known"
If you are making a call to the WebAPI from outside your local machine. Then it will not find localhost.
Try using the name of your machine in the uri.

IDX10803 and IDX10804 error with Azure AD

I have created a Web API in ASP.NET Core 2 and it is secured with Azure AD. The requests work fine in my dev environment. However when I publish the API to IIS and pass in a Authorization header in request I am getting these error:
fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
Exception occurred while processing message.
System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://login.microsoftonline.com/xxxx/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://login.microsoftonline.com/xxxx/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A connection with the server could not be established
What am I doing wrong? I can browse the url in browser successfully.
I figured it out. It was because of a proxy setting to access the internet. Since ASP.NET Core does not pick up proxy setting from system.net area of web.config, the ideal solution was to create a middle ware to act as proxy.
I was running short of time. So I created a new user and logged on server with that new user and configured the proxy settings in Internet Explorer options. Then I configured the App Pool in IIS to run under that user's identity. Problem solved!
The correct answer is to add a proxy to the metadata request that ADAL makes using BackchannelHttpHandler. You can do it like this:
public void Configure(string name, JwtBearerOptions options)
{
options.BackchannelHttpHandler = new HttpClientHandler
{
UseProxy = true,
Proxy = new WebProxy
{
Address = new Uri($"{appSettings.InternetProxyUrl}:{appSettings.InternetProxyPort}"),
UseDefaultCredentials = true
}
};
}

Resources