We have a Key Vault in a resource group in an Azure instant.
We have a user in the US (ME) and a user in different country (FU).
Both of use have many things in common, namely:
Using same version of VS 2017.
Running the exact same code.
Our VS user account is the same (a user in our Azure AD instance).
We are using a Managed Identity
If I run the code in US (logged in in VS as the FU), I am able to read the secret and display on the screen.
If the FU(logged in in VS as the FU but in another country), when he runs the code it throws the following exception
Operation returned an invalid status code 'Unauthorized'
The line of code that throws the error is:
var secret = await keyVaultClient.GetSecretAsync("https://XXXXXXX.vault.azure.net/secrets/username")
.ConfigureAwait(false);
We have both installed Azure CLI 2.0.
However, I found these stipulations at this site.
Your on-premise active directory is synced with Azure AD.
You are running this code on a domain joined machine.
Neither of these are true in our case.
Possibly a good test of these would for our vendor to allow me to remote into his machine and put my identity on VS and then run the code.
If we still get the error, then it is very likely this is our problem.
The above link said we could "Run the application using a service principal in local development environment"
Would that fix the problem???
I am fairly new to Azure and C#. Any help would be greatly appreciated!
Related
Getting error ONLY while accessing Blob storage.
No issues in Queues, File Share or table.
Any idea ?
Unable to retrieve child resources.
Details:
["FetchError:request to https://fssaicessunsetsbxv1sa.blob.core.windows.net/?include=metadata&comp=list failed, reason: unable to get local issuer certificate"]
Error : Self-Signed Certificate in Certificate Chain ,Unable to retrieve child resources.
Issue for me: I am attached with office proxy server. But Azure Storage Explorer is not using that proxy.
Solution:
Azure Storage Explorer -> Edit -> Configure Proxy,
Source = No proxy "Changed to" Use System proxy(preview)
After making these changes; I am able access the resources.
Moreover, Verify the permissions do you have on the connection string?
To generate your connection string either through the Azure Portal or some apps. When you generate the connection string, you need to give "Allowed permissions". Beside Read/Write you also need the List permission so Storage Explorer can list the blobs. Here is a screenshot in Azure portal to check/uncheck the permissions:
Have set any RBAC policies?
If you are connected to Azure through a proxy, verify that your proxy settings are correct. If you were granted access to a resource from the owner of the subscription or account, verify that you have read or list permissions for that resource.
If possible can you try to un-install and reinstall the latest version and check for the status of the issue.
Azure Storage Explorer Troubleshooting: "unable to retrieve child resources” or “The request action could not be completed”.
If the issue still persist after trying above mentioned steps, I would like to work closer on this issue. Let me know the status
Warning: For the noobs !
if you got luck you can also fix it by closing and re-opening the visual studio.
Reason: Authorization is tightly coupled with azure
Motivation: To err is Human ! Even Soft. DEV working at Microsoft are Human.
I am trying to deploy an Azure Web App through a Jenkins scripted pipeline using the Azure App Service Plugin. This is my deploy-command (GUIDs have been changed):
azureWebAppPublish azureCredentialsId: 'a0774bb6-e471-47s9-92dc-5aa7b4t683e8', resourceGroup: 'my-demo-app', appName: 'MY-DEMO-APP', filePath: 'public/*, package.json'
When running the script I get the following error:
The client '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' with object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/81fd39sw-3d28-454c-bc78-abag45r5d4d4/resourceGroups/my-demo-app/providers/Microsoft.Web/sites/MY-DEMO-APP' or the scope is invalid. If access was recently granted, please refresh your credentials.
The strange thing is, the ID of this "client" that's missing authorization does not appear anywhere in the build plan. It's neither the ID or a part of the service principal nor the ID of the Container Registry credentials. It also doesn't appear on the machine that executes the build (I checked both the GUID of the mother board and the windows installation). Also the term client is not used for any part of the build plan, so I don't really know what's the actual issue in this case.
Please check out this tutorial that explains how to Set up continuous integration and deployment to Azure App Service with Jenkins and One of the best method to deploy to Azure Web App (Windows) from Jenkins : https://learn.microsoft.com/en-us/azure/jenkins/java-deploy-webapp-tutorial
To find the Azure AD user with the object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14', go to Azure portal, open Cloud Shell and run
Get-AzureADUser -ObjectId '03a1b3f9-a6fb-48bd-b016-4e37ec712f14'
To diagnose or troubleshoot the issue, go to Azure Portal -> Resource Groups -> my-demo-app -> MY-DEMO-APP -> Access control (IAM) -> Role assignments -> and then search for above found AD User and check if that user has atleast read permission.
Hope this helps!
I'm sitting in a project where I will move from TFS to VSTS so we do have a working release definition.
But when I try deploying a service fabric cluster i get the following error:
2018-08-28T09:02:59.8922249Z ##[error]An error occurred attempting to acquire an Azure Active Directory token. Ensure that your service endpoint is configured properly with valid credentials. Error message: Exception calling "AcquireToken" with "3" argument(s): "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '< service principle Id >'.
Trace ID: < guid1 is here >
Correlation ID: < guid2 is here >
Then I go to the azure portal -> AAD -> Sign In -> look up my specific sign in (based on correlation Id) and there it state that Sign-in status is Success
Considering this works for our TFS instance i assume the service principle is correctly set up. But since the build/deploy agents is now on a VM in azure instead of on prem for TFS, is there anything i need to change?
Traffic should be OK, i can navigate to the https-adress to the cluster from the VM with agents.
I've tried google it, but to no success so hopefully someone can point me to the right direction where to look.
And in portal, 'MFA is required' is no, so multi factor should not be neccesary.
Just try using certificate based authentication instead of using AAD Authentication in the service endpoint configuration.
Reference the same issue here: https://github.com/Microsoft/vsts-tasks/issues/7714
If that still not work, just try to create a new endpoint, then try it again.
I am getting error while creating bot. I am trying to deploy a Web app bot. After specifying the name of resource group and their location I click on create. After which bot deployment process starts. But it ends up with an error:
MsaAppId: MsaAppId is already in use..
What can I do successfully deploy a basic bot. This is second time in a week, I am facing something like this on Azure.
Edit
Initially I was using Autocreate MsaAppId & Password option. That didn't work out (although that used to work)
Then I tried a couple of times with Create MsaAppId & Password option. Which takes to a different page to generate AppId & password, and I pasted the new keys in the provided fields.
Still the same result. MSA App Id already in use
Edit 2
As one of the answer mentioned, I tried creating a separate Bot Registration which I will link up with the Web app later.
But that fails with a weird message saying, App Insights is already deployed, and cannot deploy with same name, when in fact, I have not asked for any new App Insights instance to be deployed. Attaching a screenshot
it ends up with an error:
MsaAppId: MsaAppId is already in use..
I have same problem, when I create the web app bot (select Auto create App ID and password option), it failed at creating botServices resource.
Deployment:
Failed operation details:
I also tried to manually create app on https://apps.dev.microsoft.com and provide App ID and password for creating botService, but the deployment still failed.
As a workaround, I manually created Bot Channels Registration and specify corresponding web application URL as message endpoint, and then modify Application settings of that corresponding Azure web site with new App ID and password, which works for me.
Note:
I suspect something wrong with Azure while performing deployment and creating botServices, if possible, you can report it on Azure portal or create an issue on github.
Updated:
I click Automation options and download the template after I enter the required information/fields for creating a new web app bot, and then I perform deployment by using powershell with downloaded template¶meter file, which work for me, you can try it.
I’m trying to use web deploy to deploy my dacpac package, which comes to executing some sql scripts.
I have local windows account called .\DeploymentService, which is in local Administrators group, which I want to own the database and execute scripts.
For that - I configure delegation accordingly - In Management Service Delegation I set "Specific User" for dbDacFx rule = .\DeploymentService providing password
I create according serveradmin login in SQL Server. My WMSvc executed under LOCAL SERVICE account.
I use the following command line parameters for deployment:
msdeploy.exe
-verb:sync
-source:dbDacFx="C:\Main\Src\Community.DB\bin\Debug\Community.DB.dacpac"
-dest:dbDacFx="Data Source=.;Database=CommunityInt; Integrated Security=true",computername=”https://Community02:8172/msdeploy.axd?site=Default
Web Site”,username=.\DeploymentService,password=*************,authType=basic
-allowuntrusted
I execute it on my PC, where destination is different PC.
However this fails with error “Invalid Handle” or “Class name not found” depending on do I have “Local service” login with public role in my SQL Server created.
Expected behavior:
When I set user name in Management Service Delegation to specific account, I expect MSDeploy to be executed under the account I specified.
Actual behavior:
I traced using SQL profiler in target environment and I found out that WMSvc executes msdeploy under its process account (LOCAL SERVICE) instead of .\DeploymentService, and that’s why script execution fails. If in SQL server I have LOCAL SERVICE account mapped to serveradmin role, then it works fine. If I execute WMSvc under .\DeploymentService account, it also works fine.
So basically there is NO WAY TO USE "User Name" in Management Service Delegation - It just does not matter what you set up there - it gives no effect.
Does any one know how to make that work?
Keywords: WebDeploy, WMSvc, dbDacFx, Impersonation, Delegation
Hey guys I'm sorry to hear that you are running into this issue. I wanted to let you know that we have a bug in the dbDacFx provider/MSDeploy which is preventing SQL Auth to work when used with the dbDacFx provider in WMSvc scenarios.
We have not yet received enough feedback regarding this to warrant servicing MSDeploy in order to unblock this. If you are impacted by this the best thing to do is to create an entry at http://aspnet.uservoice.com and vote it up. If we get enough votes then we can consider shipping an update to unblock this. Sorry for the bad news.