Getting error in Cloudshell: Connect-AzAccount: InteractiveBrowserCredential authentication failed - azure

I have an existing paid Azure subscription. SOmehow, I failed to pay my bills and subscription got deactivated and then I paid and activated again
But after this incident, I am getting one strange error in Cloudshell as follows:
a) From my Win 10 machine, I opened Chrome/ Edge browser
b) Logged in to Azure Portal
c) Opened Cloud shell and Opened PWSH mode
d) Types in Connect-AZAccount
Getting following warning and then an error:
--> WARNING: Unable to acquire token for tenant 'organizations'
--> Connect-AzAccount: InteractiveBrowserCredential authentication failed: Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com
This never happened earlier and I always used before normally. Also I tried with some other Window systems. Same error. But when I tried to use installed Powershell it works as charm. Please advise what went wrong

If you use Cloud Shell, then you don't need to use this command to connect to Azure.Your Azure Cloud Shell session is already authenticated for the environment, subscription, and tenant that launched the Cloud Shell session.
Please see the documentation:
Sign in interactively with the Connect-AzAccount cmdlet. Skip this
step if you use Cloud Shell. Your Azure Cloud Shell session is already
authenticated for the environment, subscription, and tenant that
launched the Cloud Shell session.

Related

Remote WMI query failing with 'A security package specific error occurred' when using Azure Active Directory user

I'm attempting to query a remote machine with the PowerShell cmdlet: Get-WmiObject and using credentials for a user in Azure AD that has the Azure AD joined device local administrator role and the IAM role assignment of Virtual Machine Administrator Login on the remote machine.
When I run the following command:
Get-WmiObject -Class Win32_Process -Namespace "root/cimv2" -ComputerName <remote_computer_local_ip> -Impersonation Impersonate -Credential AzureAD\<username>
I receive the following error message:
Get-WmiObject : A security package specific error occurred. (Exception from HRESULT: 0x80070721)
Is the ability to run remote WMI queries supported when using an Azure AD user?
Remote machine specs:
Windows Server 2019 Datacenter
10.0.17763 Build 17763
Other troubleshooting notes:
I'm able to sign to the remote machine with the same user and have followed the steps in the https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows document
When running the same command on the remote machine locally it properly returns the Win32_Process data
If I use the local administrator credentials on the remote command it also works which suggests that remote WMI is working
Both computers are Azure AD joined and show AzureAdJoined : YES from the dsregcmd /status command
I've attempted to use the Computer Name, Local IP, and FQDN and they all yield the same result
After talking with Microsoft support about this issue, it seems that the error stems from the different authentication methods between a local user account and an Azure AD account.
It seems it is not supported as they are using different authentication protocols.
Azure AD user uses OAuth and the security error is due to Kerberos.
Here is the reference article for more details: Authentication protocols in Azure Active Directory B2C | Microsoft Docs
They have also mentioned that there is no current information on whether or not this will be supported in the future and have recommend checking Azure updates for future product updates.
It could happen for number of reasons. Please check if any of these in your case is the one.
When You try to setup a WMI session when:
a. There are more than one computer accounts with the same name in play and one of those stale computer accounts resides in the same domain as your user account
b. Or when servers operating reside in the same AD DS forest but in different domains.
When server is not able to find the user object due to password credentials that may be stored as cache from previous login.
Incorrect time on machines/server that doesn’t match.
If firewalls are enabled for server which may restrict the access.
possible work arounds
Try azuread\user#mydomain.com or user#mydomain.com or domainame\username format to login or Try taking out the domain and adding it back again.
The local PC and remote PC must be in the same Azure AD tenant.
Run AAD delta Sync to make sure everything is Synced and make sure of internet connectivity and network.
Try if you can turn off firewall.
References:
remote access - AAD- Server Fault
rdp -Azure AD Joined - Server Fault
«0x80070721 | exchange12rocks.org)
A security package specific error occurred | Microsoft Docs

Azure AD Connect "Unable to validate credentials"

I am working on a already functioning Azure Ad Connect VM, it syncs and the proxy connection responds with the code 200.
BUT whenever i want to sign in, in the AAD connect in my VM, with my admin Account, i get this error.
"Unable to validade credentials due to an expected error. Restart Azure AD Connect with th/ InteractiveAuth Option to further diagnose this issue."
Any idea what must cause this? I have tried every forum idea i could find with no answer. OH and upgrading is also no idea since to upgrade i need to SIGN IN also...which i can´t.
Thanks!
Steps to resolve the issue:
Navigate to directory on the server where AD Connect is
installed and copy the path (“C:\Program Files\Microsoft Azure Active Directory
Connect”).
Open command prompt and change directory to the above copied path.
Type and run /AzureADConnect.exe /InteractiveAuth in the prompt.
After you have performed the above steps, login using the same account and upgrade the Azure AD Domain Controller.
Run below command in cmd (Command Prompt) and login to account.
It will open AAD Client Connect login dialog with GUI
"C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe" /interactiveauth

Accessing a Azure Key Vault secret works on server box but not local?

We have a Key Vault in a resource group in an Azure instant.
We have a user in the US (ME) and a user in different country (FU).
Both of use have many things in common, namely:
Using same version of VS 2017.
Running the exact same code.
Our VS user account is the same (a user in our Azure AD instance).
We are using a Managed Identity
If I run the code in US (logged in in VS as the FU), I am able to read the secret and display on the screen.
If the FU(logged in in VS as the FU but in another country), when he runs the code it throws the following exception
Operation returned an invalid status code 'Unauthorized'
The line of code that throws the error is:
var secret = await keyVaultClient.GetSecretAsync("https://XXXXXXX.vault.azure.net/secrets/username")
.ConfigureAwait(false);
We have both installed Azure CLI 2.0.
However, I found these stipulations at this site.
Your on-premise active directory is synced with Azure AD.
You are running this code on a domain joined machine.
Neither of these are true in our case.
Possibly a good test of these would for our vendor to allow me to remote into his machine and put my identity on VS and then run the code.
If we still get the error, then it is very likely this is our problem.
The above link said we could "Run the application using a service principal in local development environment"
Would that fix the problem???
I am fairly new to Azure and C#. Any help would be greatly appreciated!

Unable to add ssh key in azure vm

I am the admin of this particular azure subscription. I had to add my ssh key to a ubuntu server. But when I try to add the ssh key through "Reset Password", After sometime I'll get the following error message.
VM agent on VM 'Server' has not reported latest status for extension 'enablevmaccess'. Please verify the VM has a running VM agent and can establish outbound connections to Azure storage.
What might be the issue? How to resolve this?
Failed to reset ssh key
vmaccess is enabled
Two simple thing you might try;
Uninstall the VMAccess extension and try reset again.
Use the 'Run Command' to set/reset password.
Hope this helps.
your first error tells you exactly why this happens. vm extension needs to talk to azure storage to report extension status. if it cant - portal operations might fail (this doesnt mean the extension failed; its just unable to report actual extension status).

Interactive login is required. Use 'azure login' to interactively login

Trying to run Kubernetes on Azure, I'm stuck on ./azure-login.js -u <your_username>.
I'm getting the following:
[aii#localhost azure]$ ./azure-login.js -u aii#aii_domain.com
info: Executing command login
Password: ********
+ Authenticating...
error: Interactive login is required. Use 'azure login' to interactively login.
info: Error information has been recorded to /home/aii/.azure/azure.err
error: login command failed
More info:
[aii#localhost azure]$ azure --version
0.10.0 (node: 4.3.1)
BTW, my account is BizSpark Plus if it matter..
Add the following commands first:
azure account download
it will guide you to download .publishsettings file from browser which you should use for:
azure account import <downloaded file>
azure account set <"name of your subscription">
Azure login only works from a work or school id, which really means an AAD object (identity). If you have a Microsoft account, you can only "connect" with the azure account import command that takes a .publishsettings file that you have to download. (it's a cert file)
This is actually a feature of Azure, although I think we don't communicate well here. Turns out that everyone has a default Azure Active Directory domain that they get for free.
At a larger level, Azure has two management APIs:
1. Service management, which can be used with either work ids or Microsoft account ids, and
2. Resource management, which is the new stuff and can be used only with work or school ids, and that works only with the azure login functionality.

Resources