I am the admin of this particular azure subscription. I had to add my ssh key to a ubuntu server. But when I try to add the ssh key through "Reset Password", After sometime I'll get the following error message.
VM agent on VM 'Server' has not reported latest status for extension 'enablevmaccess'. Please verify the VM has a running VM agent and can establish outbound connections to Azure storage.
What might be the issue? How to resolve this?
Failed to reset ssh key
vmaccess is enabled
Two simple thing you might try;
Uninstall the VMAccess extension and try reset again.
Use the 'Run Command' to set/reset password.
Hope this helps.
your first error tells you exactly why this happens. vm extension needs to talk to azure storage to report extension status. if it cant - portal operations might fail (this doesnt mean the extension failed; its just unable to report actual extension status).
Related
I'd like to add an offsite Windows VM to Azure Arc for health monitoring. The VM is hosted by Vultr and runs Windows Server 2016 Standard Build 14393.
However, installing AzureConnectedMachineAgent.msi on the target VM fails with error code 1603. Installation log also contains this error:
Start-Service : Service 'Guest Configuration Extension service
WixQuietExec64: (ExtensionService)' cannot be started due to the following error: Cannot start
WixQuietExec64: service ExtensionService on computer '.'.
WixQuietExec64: At C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\Modules\Exte
WixQuietExec64: nsionService\ServiceHelper.psm1:367 char:5
Any suggestions on how to fix this?
You may Check if the user with which you are logged into the VM have
sufficient permissions to start a system service
If you find the following in the
%ProgramData%\AzureConnectedMachineAgent\Log\himds.log or in installation logs :
time="2021-02-11T08:39:38-08:00" level=error msg="Cannot open event source: Azure Hybrid Instance Metadata Service."
You can verify the permissions by collecting the following registry
key from an impacted server.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomS
Mitigation can be to grant the permission to write to the
SECURITY_SERVICE_RID S-1-5-6 which would grant the required
permissions to the himds service account.
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids.
If the registry key does NOT exist on the impacted VM, then this
resolution will NOT apply as there will be a separate root cause such
as AV interference.
If the root cause is not found here ,then a procmon trace needs to be
taken to analyze the root cause for the msi not being able to start a
service.
( In case a procmon trace has to be analyzed , please open an MS
Support ticket)
To get support for Windows Agent and extensions in Azure, the Windows
Agent on the Windows VM must be later than or equal to version
2.7.41491.911. However the cause for the failure of agent installation is different in this case.
You may also want to check %programdata%\ext_mgr_logs\gc_ext_telemetry.txt log which must have had an entry something like this :
<GCLOG>........ Not starting Extension Service since machine is an Azure VM</GCLOG>
Cause:
This can happen while attempting to install the agent on an Azure VM.This is an unsupported production scenario.One Should not be installing this agent on an Azure VM as it conflicts with the Azure Guest Agent and interferes with Azure VM management.
If one wishes to use an Azure VM simply for testing purposes then
they can follow the below document for guidance
https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine
Today I accessed my VM on Azure and it was very slow, so I decided to upgrade it. I went to Size, selected a level up in RAM memory and CPU and then I clicked on the button "Resize". After waiting a few minutes, I got a fail message saying: Failed to resize the virtual machine 'xxx' to size 'xxx'. Error: Unknown error encountered when retrieving secret from the Key Vault with URL: xxx.
Since then I can't start my virtual machine, how can I solve this problem?
Thanks.
[EDIT] Apparently, I just need to update the secretURL for a key vault that I've created, I just don't know-how.
I would assume VM is having issues accessing the Key Vault. Can you try the following if possible?
Deallocated the VM to full stop.
Then start it back up
Check that the Key Vault and secret are still the same and have not been deleted or changed.
Check the access to the Key vault. The following documents may help with this.
Creating and configuring a key vault for Azure Disk Encryption
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview#networking-requirements
In the meantime, please help me perform a quick check and log into the ‘serial console’ of this VM and confirm if you’re able to get into the ‘commandprompt’ from the ‘SAC’ mode: https://learn.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-windows
Option2 Step 1: On portal select Key Vault à “Access Policy” and ensure that “Azure Disk Encryption for volume encryption” is enabled. If not, enable it, save changes and try to Start the VM again.
Step 2: If “Azure Disk Encryption for volume encryption” is already checked , make sure that “secret “ is present under the Key Vault and it has a “version” of in enabled state. If there is any expiration date set for the version, make sure that we are within the expiration period.
Repair a Windows VM by using the Azure Virtual Machine repair commands: https://learn.microsoft.com/en-us/azure/virtual-machines/troubleshooting/repair-windows-vm-using-azure-virtual-machine-repair-commands
Can you try redeploying the VM that this is happening on? This will place the VM on new hardware and rule out a platform issue if it stops happening after the redeploy.
Try to remove the extension and add it back to the VM. Extension must have failed sometime. https://learn.microsoft.com/en-us/cli/azure/vm/extension?view=azure-cli-latest
Resize virtual machines
There is similar thread discussion in SO, you may also refer to the suggestion mentioned over-there which gives some idea on your query
I am trying to change the admin password for an Azure VM. I am not able to log on to the VM remotely.
What I've tried:
The password reset tool located in the Azure Portal for the VM
Set-AzVMAccessExtension via Powershell in the Azure Cloud Shell
Both return the following:
Failed to reset password
VM has reported a failure when processing extension 'VMAccessAgent'. Error message: "Parsing Extension protected settings failed. Exception : Cannot find certificate with thumbprint '[Thumbprint Snipped]' to decrypt protected settings."
Has anyone encountered this situation in an Azure VM? If so, what can be done to remedy this error and reset the admin password OR add an admin user to the account?
To answer this, in case anyone stumbles upon it looking for an answer, I had to do the offline password reset method outlined in Azure documentation:
Reset local Windows password for Azure VM offline
It wasn't that painful if you go slow and methodically, but as there was something misconfigured on the VM instance that was seemingly beyond my control, this was the only recourse. And while yes, this is probably better suited to ServerFault, I will leave it here to help anyone that runs into a similar situation.
In Azure pipeline when creating a VM through deployment template, we have the option to 'Configure with WinRM agent' as given below.
This acts as a custom extension behind the scenes. But the downloading of this custom extension can be blocked by an internal vnet in Azure. This is the error we are getting.
<datetime> Adding extension 'WinRMCustomScriptExtension' on virtual machine <vmname>
<datetime> Failed to add the extension to the vm: <vmname>. Error: "VM has reported a failure when processing extension 'WinRMCustomScriptExtension'. Error message: \"Failed to download all specified files. Exiting. Error Message: The underlying connection was closed: An unexpected error occurred on a send.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot "
Since the files cannot be downloaded, I am thinking of a couple of solutions:
How can I know which powershell files azure is using to setup winrm?
Location to store files would be storage account (same vnet as VM)
Perhaps not use WinRM at all and use custom script extension to resolve
everything (with all files from storage account). I hope error from extension stops the pipeline if it happens.
Is there a better solution to resolve this? To me it looks like a bad design by azure as it is not covering non-public VMs.
EDIT:
Found answer to #1) https://aka.ms/vstsconfigurewinrm. This was shown in Raw logs of the pipeline when diagnostics were enabled
Even if you know - how does it help you? It won't be able to download them anyway and you cant really tell it to use local files
If you enable service endpoins and allow your subnet to talk to the storage account - it should work
there is a way to configure WinRM when you create the VM. Keyvault example
You could use script extension like you wanted to as well, but script extension has to download stuff to the Vm as well. Example
forgot user name password for a linux (ubuntu) vm. tried to "Reset Remote Access" from the portal, but it is not helping - more than 30 minutes - it still shown in progress. Tried to do it via azure command line. Created a new user with password, but unable to login. SSH says access denied. Should I do any additional steps?
After creating new user you should also reset your SSH connection. You could refer to Reset Access and Manage Users and Check Disks with the Azure VMAccess Extension for Linux for detailed steps.