Azure devops server (on premise) integrate with SourceTree or Gitkraken - azure

I've recently setup an azure devops server on a VM but I can't seem to connect to it using Gitkraken. GitKraken will give the error "Could not reach the specified host domain"
SourceTree will give an error "TF400813: Resource not available for anonymous access. Client authentication required"
I used devops.ourdomain.com/MyCollection on sourcetree/gitkraken to try and connect. I tried it with the /MyCollection and without.
On IIS Anonymous Authentication is enabled, and so is Windows authentication.
Currently the devops environment is not connected to our AD but authentication is done through local windows accounts on the VM.
Are there any settings on the server that I'm possibly missing? The Devops environment is only reachable when you are connected to our VPN, so maybe that could be the issue?
Connecting through Visual Studio directly does work

Regarding GitKraken: The Azure DevOps integration is intended for hosted instances only. There is an active feature request to support on premises Azure DevOps Server instances.
https://feedback.gitkraken.com/suggestions/184569/azure-devops-server-integration

Related

How can Azure Devops get connected to kubernetes on an On-Premise Server with Rocky Linux 9

we are going to connect Azure DevOps to kubernetes on a bare metal Server with rocky Linux 9 installed. The connection between Server and Azure DevOps is already done, now we got the challenge to get Azure Devops and Kubernetes connected. Has somebody an idea, in which form we can get the connetcion between k8s and Azure Devops?
Hello,
we are going to connect Azure DevOps to kubernetes on a bare metal Server with rocky Linux 9 installed. The connection between Server and Azure DevOps is already done, now we got the challenge to get Azure Devops and Kubernetes connected. Has somebody an idea, in which form we can get the connetcion between k8s and Azure Devops?
On Azure DevOps, you can set up a Kubernetes service connection to your Kubernetes.
Navigate to "Project Settings" > "Service connections" > "New service connection" button > select "Kubernetes".
Since your Kubernetes is hosted on your On-Premise Server, you can select "KubeConfig" or "Service Account" as the Authentication method. Then provide the required values following the notes on the window of the new service connection.
After the Kubernetes service connection is created successfully, you can use it in the pipelines via referencing its name to access the Kubernetes resources from pipelines on Azure DevOps.

Azure App Service Deploy returns (403) Forbidden with IP restriction

In Azure, I turned on IP restrictions for:
Web App (Networking > Access Restrictions)
SQL server (Firewalls and virtual networks > Add client IP)
SQL database (Set server settings)
The solution still builds locally and in DevOps (aka Team Foundation Server).
However, Azure App Service Deploy now fails:
##[error]Failed to deploy App Service.
##[error]Error Code: ERROR_COULD_NOT_CONNECT_TO_REMOTESVC
More Information: Could not connect to the remote computer
("MYSITENAME.scm.azurewebsites.net") using the specified process ("Web Management Service") because the server did not respond. Make sure that the process ("Web Management Service") is started on the remote computer.
Error: The remote server returned an error: (403) Forbidden.
Error count: 1.
How can I deploy through the firewall?
Do I need a Virtual Network to hide Azure resources behind my whitelisted IP?
The REST site scm.azurewebsites.net must have Allow All, i.e. no restriction. Also, Same restrictions as ***.azurewebsites.net should be unchecked.
It does not need additional restriction because url access already requires Microsoft credentials. If restrictions are added, deploy will fail the firewall, hence the many complications I encountered.
I think the answer is incorrect as you might face data ex-filtration and that's the reason Microsoft provide the feature to lock down SCM portal (Kudu console)
There is also a security issue on Kudu portal as it can display the secret of your keyvault (if you use keyvault) and you don't want someone in your organisation to access the Kudu portal for example.
You have to follow this link
https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops
It will provide you Azure DevOPS IP range that you need to allow on the SCM Access restriction.
Update: To make it works as expected and to use App Service Access Restriction (same for an Azure Function), you need to use the Service Tags "AzureCloud" and not the Azure DevOPS IP range as it's not enough. on the Azure Pipeline logs, you can see the IP blocked so you can see that it's within the ServiceTags "AzureCloud" in the Service Tags JSON file
It's not really clear on the MS Doc but the reason is that they struggled to define a proper IP range for Azure DevOPS Pipeline so they use IPs from AzureCloud Service Tag.
https://www.microsoft.com/en-us/download/details.aspx?id=56519
In my case I was deploying using Azure DevOps and got the error. It turned out the app service where my API was being deployed to, had the box checked "Same restrictions as xxxx.azurewebsites.net", under access restrictions or IP restrictions. you need to allow scm.azurewebsites.net.
Try adding the application setting WEBSITE_WEBDEPLOY_USE_SCM with a value of false to your Azure App Service. This was able to solve my issues deploying to a private endpoint.
In my case it was because the daily quota was overpassed.
So the solution in this case is either wait or pay more (scale up) the app service
In my case this was because the wrong agent (Windows Hosting) was being used when I should have been using a self hosted internal agent... so I needed to change it at the following location

Development with offline Azure Active Directory

We are developing a HTML5/Angular web application with a server backend that willb be hosted in MS Azure which will also authenticate via the Azure Active Directory. However, during development, there is occasionally the need to work offline and disconnected from the internet. When this happens it is not possible to debug and test the application as it is not possible to reach Active Directory to authenticate.
It is possible to create a local Virtual Machine in VirtualBox with all the necessary AD functionality included and then switch the software to use that local VM in development mode but then Azure AD in release mode?
If it is, what steps/roles etc.. will need to be installed in my local Server VM.
Many thanks
Alan
No, it is impossible to use the feature provide by Azure AD without internet connect.
It is possible to create a local Virtual Machine in VirtualBox with all the necessary AD functionality included and then switch the software to use that local VM in development mode but then Azure AD in release mode?
If you want to use the authentication, you may need to setup your own Identity Provider server when you are working off-line. There are a lot of open source library can help to setup the Identity Provider server like IndentyServer,
AspNet.Security.OpenIdConnect.Server etc.

MS Azure AD Connect: Download on a Mac for VM?

I am using Azure AD to test SSO for a customer, and it appears that I have to download AD Connect. I am on a Mac, but intend to test in a Windows 10, MS AD VM in Azure. How do I incorporate AD Connect into my VM when my Mac won't open the download file?
AD Connect is required in order to sync directory information between on-prem AD and AAD. You can (but might violate security best practices) run AD Connect on the Domain Controller itself. Once setup, users will sync between your on-prem environment and AAD. You can then test SSO.
I'm not sure where you got the requirement that AD Connect needs to be installed on your mac. It doesn't, it just needs to be installed on a windows server with access to the domain as well as internet access to sync with AAD.

Azure RDP requires certificate installed on client machine?

On a project I’m working on at my current job, we need to enable the RDP on azure web role. I've enabled the RDP but client is not being able to connect. We confirmed RDP port is opened as well.
Doesn't client needs to install certificate on his/her machine as well?
No the client doesn't need to install a certificate on their machine. When you deploy a cloud service from Azure you can opt to have an RDP account created at the point of deployment, this will automatically configure the endpoints for 3389 on the instance. Are you sure the client is using the correct case on the password and has their firewall open on 3389?
No it does not. If you're having problems try to download the assistant file that will set up everything BUT your firewall, leaving you to just hit "Connect"

Resources