I'm attempting to query a remote machine with the PowerShell cmdlet: Get-WmiObject and using credentials for a user in Azure AD that has the Azure AD joined device local administrator role and the IAM role assignment of Virtual Machine Administrator Login on the remote machine.
When I run the following command:
Get-WmiObject -Class Win32_Process -Namespace "root/cimv2" -ComputerName <remote_computer_local_ip> -Impersonation Impersonate -Credential AzureAD\<username>
I receive the following error message:
Get-WmiObject : A security package specific error occurred. (Exception from HRESULT: 0x80070721)
Is the ability to run remote WMI queries supported when using an Azure AD user?
Remote machine specs:
Windows Server 2019 Datacenter
10.0.17763 Build 17763
Other troubleshooting notes:
I'm able to sign to the remote machine with the same user and have followed the steps in the https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows document
When running the same command on the remote machine locally it properly returns the Win32_Process data
If I use the local administrator credentials on the remote command it also works which suggests that remote WMI is working
Both computers are Azure AD joined and show AzureAdJoined : YES from the dsregcmd /status command
I've attempted to use the Computer Name, Local IP, and FQDN and they all yield the same result
After talking with Microsoft support about this issue, it seems that the error stems from the different authentication methods between a local user account and an Azure AD account.
It seems it is not supported as they are using different authentication protocols.
Azure AD user uses OAuth and the security error is due to Kerberos.
Here is the reference article for more details: Authentication protocols in Azure Active Directory B2C | Microsoft Docs
They have also mentioned that there is no current information on whether or not this will be supported in the future and have recommend checking Azure updates for future product updates.
It could happen for number of reasons. Please check if any of these in your case is the one.
When You try to setup a WMI session when:
a. There are more than one computer accounts with the same name in play and one of those stale computer accounts resides in the same domain as your user account
b. Or when servers operating reside in the same AD DS forest but in different domains.
When server is not able to find the user object due to password credentials that may be stored as cache from previous login.
Incorrect time on machines/server that doesn’t match.
If firewalls are enabled for server which may restrict the access.
possible work arounds
Try azuread\user#mydomain.com or user#mydomain.com or domainame\username format to login or Try taking out the domain and adding it back again.
The local PC and remote PC must be in the same Azure AD tenant.
Run AAD delta Sync to make sure everything is Synced and make sure of internet connectivity and network.
Try if you can turn off firewall.
References:
remote access - AAD- Server Fault
rdp -Azure AD Joined - Server Fault
«0x80070721 | exchange12rocks.org)
A security package specific error occurred | Microsoft Docs
Related
I'd like to add an offsite Windows VM to Azure Arc for health monitoring. The VM is hosted by Vultr and runs Windows Server 2016 Standard Build 14393.
However, installing AzureConnectedMachineAgent.msi on the target VM fails with error code 1603. Installation log also contains this error:
Start-Service : Service 'Guest Configuration Extension service
WixQuietExec64: (ExtensionService)' cannot be started due to the following error: Cannot start
WixQuietExec64: service ExtensionService on computer '.'.
WixQuietExec64: At C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\Modules\Exte
WixQuietExec64: nsionService\ServiceHelper.psm1:367 char:5
Any suggestions on how to fix this?
You may Check if the user with which you are logged into the VM have
sufficient permissions to start a system service
If you find the following in the
%ProgramData%\AzureConnectedMachineAgent\Log\himds.log or in installation logs :
time="2021-02-11T08:39:38-08:00" level=error msg="Cannot open event source: Azure Hybrid Instance Metadata Service."
You can verify the permissions by collecting the following registry
key from an impacted server.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS
Mitigation can be to grant the permission to write to the
SECURITY_SERVICE_RID S-1-5-6 which would grant the required
permissions to the himds service account.
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids.
If the registry key does NOT exist on the impacted VM, then this
resolution will NOT apply as there will be a separate root cause such
as AV interference.
If the root cause is not found here ,then a procmon trace needs to be
taken to analyze the root cause for the msi not being able to start a
service.
( In case a procmon trace has to be analyzed , please open an MS
Support ticket)
To get support for Windows Agent and extensions in Azure, the Windows
Agent on the Windows VM must be later than or equal to version
2.7.41491.911. However the cause for the failure of agent installation is different in this case.
You may also want to check %programdata%\ext_mgr_logs\gc_ext_telemetry.txt log which must have had an entry something like this :
<GCLOG>........ Not starting Extension Service since machine is an Azure VM</GCLOG>
Cause:
This can happen while attempting to install the agent on an Azure VM.This is an unsupported production scenario.One Should not be installing this agent on an Azure VM as it conflicts with the Azure Guest Agent and interferes with Azure VM management.
If one wishes to use an Azure VM simply for testing purposes then
they can follow the below document for guidance
https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine
We have a Key Vault in a resource group in an Azure instant.
We have a user in the US (ME) and a user in different country (FU).
Both of use have many things in common, namely:
Using same version of VS 2017.
Running the exact same code.
Our VS user account is the same (a user in our Azure AD instance).
We are using a Managed Identity
If I run the code in US (logged in in VS as the FU), I am able to read the secret and display on the screen.
If the FU(logged in in VS as the FU but in another country), when he runs the code it throws the following exception
Operation returned an invalid status code 'Unauthorized'
The line of code that throws the error is:
var secret = await keyVaultClient.GetSecretAsync("https://XXXXXXX.vault.azure.net/secrets/username")
.ConfigureAwait(false);
We have both installed Azure CLI 2.0.
However, I found these stipulations at this site.
Your on-premise active directory is synced with Azure AD.
You are running this code on a domain joined machine.
Neither of these are true in our case.
Possibly a good test of these would for our vendor to allow me to remote into his machine and put my identity on VS and then run the code.
If we still get the error, then it is very likely this is our problem.
The above link said we could "Run the application using a service principal in local development environment"
Would that fix the problem???
I am fairly new to Azure and C#. Any help would be greatly appreciated!
I have 2 sites. Each site has one SCVMM configured to do Azure Site Recovery
ASR is configured to replicate the VM form one site to another.
Here is the issue, my VM size is big and i want to do the initial replication offline instead of over the Network and it just not allowing me saying permission issues.
Can anyone help me to find, what could be going wrong here?
ERROR MESSAGE
Permissions couldn't be set for one or more hosts on the initial replication folder path.
Provider error code: 31218
Provider error message:
The VMM service couldn't provide permissions for cs\nimbl[enter image description here][1]ecs1$ on \\nimblecs1\f$. Error: Object reference not set to an instance of an object.. During cloud configuration, the VMM service provides permissions for Hyper-V service accounts on the import and export paths used for initial replication.
Provider error possible causes:
The VMM service doesn't have the required privileges to modify the permissions on the import and export paths.
Provider error recommended action:
Ensure that the VMM service account has the required privileges to perform this operation.
POSSIBLE CAUSES
Verify that the initial replication path exists and is accessible.
forgot user name password for a linux (ubuntu) vm. tried to "Reset Remote Access" from the portal, but it is not helping - more than 30 minutes - it still shown in progress. Tried to do it via azure command line. Created a new user with password, but unable to login. SSH says access denied. Should I do any additional steps?
After creating new user you should also reset your SSH connection. You could refer to Reset Access and Manage Users and Check Disks with the Azure VMAccess Extension for Linux for detailed steps.
I’m trying to use web deploy to deploy my dacpac package, which comes to executing some sql scripts.
I have local windows account called .\DeploymentService, which is in local Administrators group, which I want to own the database and execute scripts.
For that - I configure delegation accordingly - In Management Service Delegation I set "Specific User" for dbDacFx rule = .\DeploymentService providing password
I create according serveradmin login in SQL Server. My WMSvc executed under LOCAL SERVICE account.
I use the following command line parameters for deployment:
msdeploy.exe
-verb:sync
-source:dbDacFx="C:\Main\Src\Community.DB\bin\Debug\Community.DB.dacpac"
-dest:dbDacFx="Data Source=.;Database=CommunityInt; Integrated Security=true",computername=”https://Community02:8172/msdeploy.axd?site=Default
Web Site”,username=.\DeploymentService,password=*************,authType=basic
-allowuntrusted
I execute it on my PC, where destination is different PC.
However this fails with error “Invalid Handle” or “Class name not found” depending on do I have “Local service” login with public role in my SQL Server created.
Expected behavior:
When I set user name in Management Service Delegation to specific account, I expect MSDeploy to be executed under the account I specified.
Actual behavior:
I traced using SQL profiler in target environment and I found out that WMSvc executes msdeploy under its process account (LOCAL SERVICE) instead of .\DeploymentService, and that’s why script execution fails. If in SQL server I have LOCAL SERVICE account mapped to serveradmin role, then it works fine. If I execute WMSvc under .\DeploymentService account, it also works fine.
So basically there is NO WAY TO USE "User Name" in Management Service Delegation - It just does not matter what you set up there - it gives no effect.
Does any one know how to make that work?
Keywords: WebDeploy, WMSvc, dbDacFx, Impersonation, Delegation
Hey guys I'm sorry to hear that you are running into this issue. I wanted to let you know that we have a bug in the dbDacFx provider/MSDeploy which is preventing SQL Auth to work when used with the dbDacFx provider in WMSvc scenarios.
We have not yet received enough feedback regarding this to warrant servicing MSDeploy in order to unblock this. If you are impacted by this the best thing to do is to create an entry at http://aspnet.uservoice.com and vote it up. If we get enough votes then we can consider shipping an update to unblock this. Sorry for the bad news.