I have a c# web application running on IIS in a windows server core container.
In the dockerfile I create a new user 'myUser' without password.
I add the credentials to my Azure File store in the Dockerfile as well:
USER myUser
RUN powershell "cmdkey /add:mystore.file.core.windows.net /user:AZURE\mystore /pass:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="
I add a new application pool Identity using 'myUser', and use that application pool for my application.
When I start the container and connect using 'docker exec', I am logged on as the new user.
I can access the path with 'ls \mystore.file.core.windows.net\dockerstore\'
The credentials are listed okay with 'cmdkey /list'.
However, my application which runs under the same user complaints it cannot reach the store. System.IO.IOException reported on Directory.Exists().
I have done this execise on my local box as well, and the application runs without issues.
I have tried using a user with password as well, to no avail.
The application use the full UNC-path to the store.
Tried the same thing on a windows service application. Same thing: Can list files in a powershell session, but my application cannot access it.
Am I missing something?
Edit: Here's what I did:
NET USER myAzureFilesUser myAzureFilesPasswordXXXXXXXXXXX== /add /y
NET LOCALGROUP Administrators /add myAzureFilesUser
Import-Module WebAdministration
$processModelProperties = #{userName='myAzureFilesUser ';password='myAzureFilesPasswordXXXXXXXXXXX==';identitytype=3}
Set-ItemProperty (Join-Path 'IIS:\AppPools\' 'My AppPool Name') -name processModel -value $processModelProperties
You need to create local user account with the same username and password as Azure File storage account and perform some additional tasks as described here. https://blogs.iis.net/davidso/azurefile
Related
I'm attempting to query a remote machine with the PowerShell cmdlet: Get-WmiObject and using credentials for a user in Azure AD that has the Azure AD joined device local administrator role and the IAM role assignment of Virtual Machine Administrator Login on the remote machine.
When I run the following command:
Get-WmiObject -Class Win32_Process -Namespace "root/cimv2" -ComputerName <remote_computer_local_ip> -Impersonation Impersonate -Credential AzureAD\<username>
I receive the following error message:
Get-WmiObject : A security package specific error occurred. (Exception from HRESULT: 0x80070721)
Is the ability to run remote WMI queries supported when using an Azure AD user?
Remote machine specs:
Windows Server 2019 Datacenter
10.0.17763 Build 17763
Other troubleshooting notes:
I'm able to sign to the remote machine with the same user and have followed the steps in the https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows document
When running the same command on the remote machine locally it properly returns the Win32_Process data
If I use the local administrator credentials on the remote command it also works which suggests that remote WMI is working
Both computers are Azure AD joined and show AzureAdJoined : YES from the dsregcmd /status command
I've attempted to use the Computer Name, Local IP, and FQDN and they all yield the same result
After talking with Microsoft support about this issue, it seems that the error stems from the different authentication methods between a local user account and an Azure AD account.
It seems it is not supported as they are using different authentication protocols.
Azure AD user uses OAuth and the security error is due to Kerberos.
Here is the reference article for more details: Authentication protocols in Azure Active Directory B2C | Microsoft Docs
They have also mentioned that there is no current information on whether or not this will be supported in the future and have recommend checking Azure updates for future product updates.
It could happen for number of reasons. Please check if any of these in your case is the one.
When You try to setup a WMI session when:
a. There are more than one computer accounts with the same name in play and one of those stale computer accounts resides in the same domain as your user account
b. Or when servers operating reside in the same AD DS forest but in different domains.
When server is not able to find the user object due to password credentials that may be stored as cache from previous login.
Incorrect time on machines/server that doesn’t match.
If firewalls are enabled for server which may restrict the access.
possible work arounds
Try azuread\user#mydomain.com or user#mydomain.com or domainame\username format to login or Try taking out the domain and adding it back again.
The local PC and remote PC must be in the same Azure AD tenant.
Run AAD delta Sync to make sure everything is Synced and make sure of internet connectivity and network.
Try if you can turn off firewall.
References:
remote access - AAD- Server Fault
rdp -Azure AD Joined - Server Fault
«0x80070721 | exchange12rocks.org)
A security package specific error occurred | Microsoft Docs
After a successful build using a hosted VS2017 agent, I'm trying to deploy on-prem using an local hosted agent which was setup using a domain account which should have sufficient permissions as it is in the local admin group. As I was digging around on this issue elsewhere, one user re-installed their agent using NTATHORITY\SYSTEM and it worked.
I d'ont really need to create or stop\start the website, just deploy the recent build artifact.
What permissions should I check or should I use another task?
019-04-06T21:03:10.3898646Z ERROR ( message:Configuration error
2019-04-06T21:03:10.3899503Z
2019-04-06T21:03:10.3899791Z Filename: redirection.config
2019-04-06T21:03:10.3900026Z 2019-04-06T21:03:10.3900293Z Line
Number: 0 2019-04-06T21:03:10.3900530Z 2019-04-06T21:03:10.3900852Z
Description: Cannot read configuration file due to insufficient
permissions 2019-04-06T21:03:10.3901076Z 2019-04-06T21:03:10.3901333Z
. ) 2019-04-06T21:03:10.8135484Z ##[error]Process 'appcmd.exe' exited
with code '5'.
An agent is running under a user. The error means that your user doesn't have permissions to read/modify the redirection.config file that is necessary to manage IIS.
You have multiple options to solve this.
Change the user were the agent is running under. In example: NTATHORITY\SYSTEM
Give permissions to the user were your agent is running under to the folder C:\Windows\System32\inetsrv\config. If you want to create app pools or websites etc, modify permissions are of course needed.
When we install Azure agent as a service(In Windows, search for 'Services' and look for something like Azure Pipelines Agent..), by default it is logged on as 'Network Service'. Change it to 'Local System' and the pipeline should be able to run IIS related tasks/commands.
How to remove an orphaned Application in an Azure Directory?
I have a second (non-Default) directory that I was using to test the AD Connect app, and having finished with it, want to delete.
I have been able to remove the users both with the Management Portal and remove-msoluser, but am unable to delete the directory as it has one Application registered - "Office 365 Management APIs"
In the management console, this Application looks a little weird - there are no options to do anything on its dashboard and just checking, this Application is also installed in my Default Directory and looks the same - maybe it cannot be removed?
Have tried removing the App using the Remove-msolservice cmdlet, and tried the whole-hog approach as per Method 5 in https://support.microsoft.com/en-au/kb/2967860/en-us - seems to run through ok, but the Application is still listed, and when deleting the Directory I still get the error -
Directory has one or more applications that were added by a user or administrator
I had the same problem. When performed the steps below, I could delete the Azure Active Directory tenant:
Log in to Azure and create a new user with Global Admin permissions in the AAD you're trying to delete.
Open the Azure Active Directory Module for Windows PowerShell and execute the following:
Connect-MsolService (Log in with #onmicrosoft global admin account you created)
Get-MsolServicePrincipal | Remove-MsolServicePrincipal (This will generate errors but it's ok)
Log in to https://manage.windowsazure.com as the service admin
Delete already created #onmicrosoft.com Global Admin user
Delete the AAD now
You check the sites below as well:
http://blogs.msdn.com/b/dstfs/archive/2015/05/27/trouble-deleting-azure-active-directory-aad-due-to-quot-visual-studio-online-quot-item-in-aad-quot-applications-quot-list.aspx
or here:
https://www.opsgility.com/blog/deleting-azure-ad-applications
You must run the following cmdlets after running the remove cmdlets:
Get-MsolServicePrincipal | Set-MsolServicePrincipal -AccountEnabled $False
then delete the temporary global admin account (if any) and you should be able to delete the directory.
More information about this issue: https://support.microsoft.com/en-us/kb/3112170
This article helps me to delete Azure AD I created with old Windows Azure Portal (manage.windowsazure.com):
https://blogs.msdn.microsoft.com/ericgolpe/2015/04/30/walkthrough-of-deleting-an-azure-ad-tenant/
In a nutshell:
Create a new user under the AD you intend to delete.
User must have Global Admin role.
You will get temporary password for this user. Once login to Azure Portal with this user, you will need to create a permanent password.
Use this credential, you will remove Azure AD's applications using Azure AD PowerShell
Then, go back to Azure AD you intend to delete (using your credential, not the newly created user), delete the user you just created.
Only after doing all these will you be able to delete the Azure AD.
I have a problem when i try to configure the agent on another server.
I have installed the Server RM in one machine and i use the user with name: usr_deploy.
(This machine has an domain called: mydomain.local)
I have another server that i need map to submit files for deploy. What i do? I installed the Agent RM, using the same account and password, but when i try to configure i have the error:
(This machine has an domain called: anotherdomain.local)
(Because i´m a new user i cant post image. I found the same image in Url: http://i.stack.imgur.com/vrkpQ.jpg)
All users i used with the name usr_deploy have local account on each server.
I need to use the same account but all the accounts needs to be a domain account ?
I have very difficultily to find on the web articles or steps to make the correctly configuration.
My scenario is 1 server with the RM Server and 3 servers to make a deploy.
Anyone can help me ?
Tks!
If you don't have a trust relationship between your domains, you'll have to use shadow accounts.
MSDN:
Follow these steps to configure the Release Management Server and the
Deployment Agent on machines that run in different domains that do not
have a two-way trust relationship.
On each computer where you will install the RM Server or Deployment Agent, create a local user account that is a member of the
Administrators group. Use the same account and password on each
machine (i.e. Shadow Account).
Add the RM Server’s Shadow Account to RM and grant both “Service User” and “Release Manager” permissions.
Add the Deployment Agent’s Shadow Account to RM and grant “Service User” permission.
Use the Shadow Account as the service account when you install and configure the Deployment Agent.
Note: When you add the local accounts to Release Management, include
the name of the local machine where the account resides. For example,
add the user account as \ or
When you are configuring the shadow account as the service account in deployment agent, make sure that you logged in using the same shadow account.
write it down as
Correct way:- http://(server):(port)
Incorrect way:- http://(server):(port)/ReleaseManagement
Do not write "/ReleaseManagement/" or any other URL segments after . This will solve your problem.
for e.g. :
http://sunnyserver:1000
I'm interested in load balancing 2+ Windows VMs in Azure. My primary requirement, though, is that an 'uploads' folder would need to be consistent between each VM. Files in this folder are FTPed by our admin users, and they would then need to select these files in a C# MVC Web app. As you may connect through FTP to one VM, but a Web connection might be to another, the uploads have to be centralised.
It looked as if the new Azure Files, currently in Preview, would help, in that they let me set up a shared drive that each of the VMs could access. My thought was that FileZilla Server would allow FTPing up to this shared 'drive', and the Web app would access it to show the contents.
I've signed up to the Azure Files Preview, and set up the share, persistently mapping it to Drive Z for the sake of experimentation. I've also created a new user and made sure they too have persistent mapping to this same drive as Z.
But I can't seem to do anything with this outside of the Remote Desktop. FileZilla, despite having its Service set to log on using this new account, won't show the contents of this drive, or write anything to it. Likewise my Web App isn't able to access the file contents, despite switching Passthrough Authentication to this new account for the virtual folder.
Does anyone know any way of accessing this drive either through the network path or drive letter? Is this just not possible with Azure Files as they are? Are there any other solutions to sharing some blobs across VMs, but treating it as a local drive or network share?
[UPDATE]
This might help. Having set up the share, and used cmdkey and net use while in a cmd prompt runas a specially created user (as suggested in http://blogs.msdn.com/b/windowsazurestorage/archive/2014/05/27/persisting-connections-to-microsoft-azure-files.aspx), if I point a virtual folder in IIS to this share, using the specific account created, and Test Connection, I get:
Test: Authentication (green tick; "The specified user credentials are valid")
Test: Authorization (red cross; "The path does not exist or environment variables in the path could not be expanded to verify whether it exists.")
While still in a runas cmd prompt, I can access the share, so it's not a specific permissions issue. It just seems to be that IIS cannot use that user to access the share, for some reason. The limitation of Azure Files is that I cannot specifically grant any kinds of permissions on the folder within that share.
What worked for me is the following:
Create a new account
Set the IIS App Pool Identity to a this specific user
Set the IIS App Pool Load User Profile property to true
start a cmd promt as this user (runas)
do cmdkey and net use (with /persistent:true switch), as you described
create IIS Virtual Diretory with physical path set to UNC share path (not the mapped drive)
A little PowerShell snippet for point 5:
$share = "your-storage-account.file.core.windows.net\yoursharename"
$usr = "your-storage-account"
$key = "your-storage-key"
#store credentials for the network share - must be done for the user that will run the app pool
cmdkey /add:subclub.file.core.windows.net\images /user:$usr /pass:$key
net use z: "\\$share" /user:$usr $key /persistent:yes
The answers here proved helpful.
Setup
Create a new user {appuser}
Open a command windows as the user
runas /user:{appuser} cmd.exe
In the new {appuser} cmd window use
cmdkey /add:{storage-account}.file.core.windows.net
/user:{storage-account} /pass:{account-key}
Set the IIS Application pool to use {appuser}
4b. Set LoadUserProfile to true
Notice no need for the net use. Don't need the mapped drive.
Code
Now here's the key piece. From your app you must write to the UNC path.
\{storage-account}.file.core.windows.net\
ex.
File.WriteAllText("\\\\{storage-account}.file.core.windows.net\\share\test.txt", "contents goes here");