Ports required to open for Azure Active Directory - azure

In my company, a few ports are blocked and I am unable to identify a list of ports to tell my IT team to whitelist.
I am using Visual Studio 2015.
The reason why I am being so specific on ports is that, these steps I have followed at my home machine & I found no issues. The problem is only in my company due to Proxy/Port/Firewall.
Steps followed:
I have created a sample MVC Web application & kept authentication as default (Individual User Accounts).
After creating this application, I right-clicked on the project & clicked on Configure Azure AD Authentication & followed the steps properly.
I created a few users in Azure Portal and ran the application which is working fine.
Then I deployed the application on my local IIS by changing connectionstring (which got created in Step 2) from localDB to SQLExpress
The application isn't working after deploying on local IIS in my company but working on my home machine.
I am unable to identify the ports/proxy settings which I need to tell my company to whitelist.
Please help me. Thanks!

Have a look at the Hybrid Identity Required Ports and Protocols documentation, find your scenario and see the ports needed for that.
The following document is a technical reference on the required ports and protocols for implementing a hybrid identity solution. Use the following illustration and refer to the corresponding table.

Related

Connecting to an Azure App Service via IIS Manager (inetmgr)

Is it possible to remote-connect to an Azure App Service running on Windows with my IIS Manager?
This seems to have been possible according to this blog post by clicking in IIS Manager File -> Connect to a site.
I refer to the steps mentioned in the link shared by you and in the last step I got an error below.
I did some research on it and it looks like managing the App Service from IIS is not supported anymore. I have not got any official link but the below links might give you some information on it.
Microsoft.Web.Configuration.AppHostFileProvider not found after configured Remote IIS Administration for Microsoft Azure Web App
Can no longer manage any Web Apps with IIS Remote Manager - Could not load file or assembly - AppHostFileProvider
I'm not sure for what purpose why you want to. My thoughts is you shouldn't be doing that as it defeat the purpose of PaaS services. Cannot access the iis layer in app service however you can still configure in web.config of your web app.

TFS Dual-Tier on Azure with Azure Active Directory

So, I'm trying to setup TFS 2017 on Azure with separate App tier VM and DB tier VM. I'm trying to connect them but apparently you can only do multi-tier when in an AD. Am I able to use solely Azure Active Directory for this? If so, how do I set it up? I've not see any instructions on how to properly do this.
Thanks!
Your issue is similar to this case on ServerFault. Usually, you need follow the steps below:
create virtual network
put your vms into that virtual network so they will be in the same network and domain works
join the domain
install TFS AT server and DT server.
Note: If you get error An Active Directory Domain Controller (AD DC) for the domain “x.x.com” could not be contacted when join a Windows 2012 R2 server to a domain in Windows Azure, check the solution here: http://www.itexperience.net/2014/06/06/an-active-directory-domain-controller-ad-dc-for-the-domain-x-x-com-could-not-be-contacted-windows-azure/
Useful guide can be downloaded from: http://vsarplanningguide.codeplex.com/downloads/get/842516

Enable Impersonation for SSRS reports on Azure

In our current Production Setup, we have setup SSRS and have been able to successfully use the SSRS reports in our .NET Web Application since years. We have used Impersonation in Web.Config (there might be other solutions available, we had to go with this) as shown below.
<identity impersonate="true" userName="domainname/username" password="password"></identity>
This solution worked well becuase our Active Di
rectory and SSRS server are located in the same Network / domain.
Now, as part of our Azure migration, we have migrated our SSRS server to an Azure VM. and we are able to view the reports using Report Server Manager within the VM. Now, when we access the Web Application (App Service - Web App), we are getting the following error. Below is the updated impersonation attribute that we have used.
<identity impersonate="true" userName="username#ouremailaddressdomainname.onmicrosoft.com" password="password"></identity>
"Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'The user name or password is incorrect"
Obviously, this is because of the fact that we don't have a Active Directory domain setup in Azure. Below are my questions.
Can we utilize the users available in the default Directory that gets created on Azure?
If yes, how do I specify the impersonization?
Thanks,
Prawin
With your planned setup you cannot use identity impersonation. This is because the AppService Web Apps do run in an isolated sand-boxed environment which cannot be part of a Windows Domain.
You have couple of options:
Change the reporting server to use mixed mode Authentication and create local for the SQL Server login and user with appropriate permissions. Then configure your reporting application to provide these SQL Server credentials
Move your Web Application to same VM (will not require Domain environment) as your Reporting Server (or just the part which deals with the reports)
Move your application to a separate VM and utilize the Azure Active Directory Domain Services to make the VMs part of same domain (an overkill IMO)
I would vote for the first option, as it requires least changes and leverages PaaS services (App Service). Everything else is overkill or just an abuse of the cloud platform.

Remote machine accessing a deployed SSRS report

I have created an SSRS report using the Business Intelligence reporting service of VS 2012 and I have also successfully deployed it on the web service url i.e. http://computer name/ReportServer, the deployment was successful. The main purpose of deployment is to enable the client to access these reports from their machine, and I really do not have much idea on how to proceed with that, what and how do I give permissions to the client and how does the client access the above url in order to view the reports? Please elaborate I was not able to find much online help on this and its my first venture in this domain. Thank you very much in advance!
Open Reporting Services Configuration manager from windows Start
Connect to your Report Server
basically Two ULR tabs are available there
Web Service URL
Report Manger URL
you want to go to Web service URL
assign Some virtual Directory then use that URL for client PCs.
if not work use IP address in place on Computer Name
for credentials use Service Account Tab in this Manager
check Use another account
and what ever domain username is given here will be used for client to log in .
i Had same issue, i jst replaced computer name with deployed server IP address,
http://10.60.0.0/ReportServer

401.1 Error when accessing virtual directory pointing to network share

IIS5 is running on SERVER1.
One of the virtual directories in IIS, myfiles, is pointing to "A shared location on another computer", //SERVER2/myfilesshare
When I try to access the page:
http://SERVER1/myfiles
... I get the error:
You are not authorized to view this page
HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services
I have triple-checked the "Connect As..." settings in IIS. The credentials I'm using to access the share are correct-- they work when connect to the share in Windows Explorer, but not through the IIS virtual directory.
I've tried granting full permission to Everyone on the folder in SERVER2, but no luck.
Any thoughts?
This was how I solved my problem, might help you.
By default, IIS uses local user called IUSR for virtual directories when using anonymous authentication. It does not use application identity, which should be obvious, if you use procmon.
How can you force it to use application identity?
Easy, under IIS manager:
1) go to Authentication
2) Edit "Anonymous authentication"
3) Select "Application pool identity"
4) Restart IIS & it should work.
The same accomplished with PS: Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/AnonymousAuthentication -name username -value ""
This link contains the pros/cons: http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-either.aspx
Permission issues can be tricky. Try running filemon on the 'other computer' It can be downloaded over here: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
(it's not a big application just a tiny lightweight tool)
After you've started filemon, stop the monitor process (I believe it's turned on by default when you start the application), clear the logged data, create a filter for the folder you have trouble getting access to. Start the monitor process. Request your webpage. Stop the monitor process and look for "access denied" messages in filemon. When found, filemon will also mention the name of the actual user which is trying to get access. This might help you to get to a solution.
Btw when using Windows Server 2008 you will need processmon instead: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Imagine a scenario where for whatever reason you want to have your IIS Server access a Share on a File server and they are not on the same domain.
If you can follow and get this to work for you (I have done it Win2008-R1 32-bit File Server and Win2008-R2 64-bit with IIS 7), then you should be in good shape for any scenario.
Same name local account on both servers with same password
On IIS, use aspnet_regiis -ga MyAccount to give local account access to IIS guts
Now use that as the Application Pool Identity of the Website
Using Local Security Policy (Admin Tools) enable trust for delegation for local account
Restart IIS server
On File Server, use Local Security Policy to enable access from network for local account
Create Share granting desired permissions to local account (also Security tab permissions as needed)
Open up File & Print Sharing ports on both (as restrictive as possible) to point where it works for you when you are using Windows Explorer between the two
Back to IIS, create Virtual Directory using UNC path to Shared folder from File Server
Just use Pass-through authentication (which would use your local account)
You can tell Anonymous Authentication setting of the Virtual Directory to use Application Pool Identity as well
Use something that will test/verify. The key really is trust for delegation using a Service Account (domain or otherwise), and having IIS use the account you want it to use instead of Local Server or Network Service.
This took me all day to figure out. Various threads in StackOverflow and other Internet sources helped point me to various resources me but didn't find my exact answer anywhere. Hopefully next person stuck with this problem will get a speed boost on the path to resolving with my description of what worked for me.
try enabling windows authentication on the virtual directory security tab (in IIS).

Resources