Msdeploy failed: The account 'xxx' does not appear to be valid - iis

I am trying to get automated deployment from TeamCity working for one of our new API endpoints. I have everything set up correctly, including the final step where TeamCity calls MSDeploy to send the package over to our server (we're talking our Integration / test server here).
Everything was working fine but, when creating the new site in IIS, we had borrowed a service user from another website for the app pool to run as.
When we created a new domain user and switched the app pool over our deployments started failing. The error MSDeploy gives is:
Error: (30/10/2014 15:00:56) An error occurred when the request was processed on the remote computer.
[15:00:56][Step 1/1] Error: The account 'XXX' does not appear to be valid. The account was obtained from this location: 'system.applicationHost/applicationPools/******.com'.
[15:00:56][Step 1/1] Error: Some or all identity references could not be translated.
[15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
[15:00:56][Step 1/1] at System.Security.Principal.NTAccount.Translate(Type targetType)
[15:00:56][Step 1/1] at Microsoft.Web.Deployment.Impersonator.GetNTAccount(String userName, String source)
Where XXX is the new domain user we created. Let's call the old domain user that we borrowed 'YYY'. We are using a third account, 'ZZZ' to connect with web deploy. So, everything was fine with the app pool running as YYY, but when we switched to XXX this error occurs.
We have looked and looked, but we can't find any differences between XXX and YYY. They're both in the same AD groups and both seem to have the same permissions on the server. Logging in to the server through RDP using account XXX allows us to open the IIS GUI and browse / administer the sites.
I've been unable to find many other sites talking about this problem, but it's got us completely stumped.
FYI, we have already restarted the web server in question, to see if that helped. It didn't.

The error being returned here is just a general authentication failure error. In this particular scenario the authentication failure was being caused by a discrepancy between the User Principle Name and the SAM Account name of the user the application pool was running as.
See the following question for an explanation of which name is used when authenticating an Active Directory user - https://serverfault.com/questions/371150/any-difference-between-domain-username-and-usernamedomain-local
In our particular example, the active directory user name of the application pool was longer than 20 characters. The SAM account name has a 20 character limit which means all characters over 20 were not included.
As explained in the linked answer, the format you use when specifying the domain and user name will determine which version of the name is used for authentication. Therefore with an example user name of "username_longer_than_20_characters" the following formats would work:
domain\username_longer_than - authenticates using SAM account name
or
username_longer_than_20_characters#domain - authenticates using User Principle name
The answer in the linked post also explains how to check the SAM account name for an Active Directory user.

Related

Connecting Blazor Server App to Azure AD - Insufficient Permissions

I am trying to create a new Blazor server app and configure it to use a new Azure Active Directory that I recently created. I have found a couple tutorials online showing how to do this, including one from Microsoft, but I keep encountering an error that says "The user account doesn't have the required permissions to access the domain."
I read online that I needed to verify that my user account is assigned to the Global Administrator role, which I did and it is. I have tried to create 3 different active directories in Azure to see if it was a fluke, but I have received the same error message each time.
Any help that you are able to provide would be greatly appreciated.
Make sure that you have signed in to Visual Studio with an admin account of the domain (here it should be "thomasagarza#yahoo.com").
After adding the account, you can apply filter for it (select the domain it is an member in). Make sure you have added it as the guest of that domain and assign Global Admin role to it.
Then all the related domains will be listed when you create a new project with Work or School Accounts Authentication. Select the domain which "thomasagarza#yahoo.com" is the admin in and click on OK. Generally you won't be required to enter your credential again in this step.
Please note if you have a custom domain for your AAD tenant and have made it primary, the domain listed here will be the custom domain name. In this case, if you manually set the domain as the format "***.onmicrosoft.com", you will get the error you are facing.

Web deployment task failed. ERROR_USER_UNAUTHORIZED

I am trying to deploy my Bot to azure. I have created it in azure and i downloaded the source code. But now im trying to deploy it again i'm getting the error on the title. I got all the credentials correct because i wrote it down before. This is the error.
Severity Code Description Project File Line Suppression State
Error Web deployment task failed. (Connected to the remote computer ("dotnetfpbot.scm.azurewebsites.net") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)
Make sure the site name, user name, and password are correct. If the issue is not resolved, please contact your local or server administrator.
Error details:
Connected to the remote computer ("dotnetfpbot.scm.azurewebsites.net") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.
The remote server returned an error: (401) Unauthorized. AzureBot 0
If ever my username or password is wrong is there a way to change them?
please delete the publish profiles and rebuilt them by going through the wizard again.
Yes. Sign in to your Azure account and hit 'get publish profile' at the top of the dashboard after you click into your project and you can send it to Notepad. Much stuff there. It all repeats; It is userPWD="the long password is here"

Azure new users: You do not have permission to view this directory or page

I have a web app in Azure. The access to that web app is controlled by Azure Active Directory. The app is up and running since September of last year. I didn't make any changes to the app for a while and have 33 users in that app.
So, a week ago I tried to add a user, using the same methods and paths I used before.
The new user can log in to microsoft (portal.office.com). After the initial log in and changing of the password the user goes to the web app in Azure and get the following error: You do not have permission to view this directory or page.
Error tracing gives me this:
HTTP Error 401.73 - Unauthorized You do not have permission to view
this directory or page.
Most likely causes: The authenticated user does not have access to a
resource needed to process the request.
Things you can try: Create a tracing rule to track failed requests for
this HTTP status code. For more information about creating a tracing
rule for failed requests, click here.
Detailed Error Information: Module EasyAuthModule_32bit
Notification BeginRequest Handler
ExtensionlessUrlHandler-Integrated-4.0 Error Code 0x80004005
Requested URL https://*******:80/.auth/login/aad/callback Physical
Path D:\home\site\wwwroot.auth\login\aad\callback Logon Method
Not yet determined Logon User Not yet determined
More Information: This is the generic Access Denied error returned by
IIS. Typically, there is a substatus code associated with this error
that describes why the server denied the request. Check the IIS Log
file to determine whether a substatus code is associated with this
failure. View more information ยป
Microsoft Knowledge Base Articles:
Another observed behavior: usually when new users are logging in the web app asks for permissions for the AD to access their account information. Ever since this problem came up this is not the case any more.
Other users do not have any problems logging in. This problem only happens with new users who never logged in before.
EDIT: When I go to Active Directory and look at sign ins, I see failures to log into the web app with sign-in error code 90092. Failure Reason: Other.
Microsoft help desk could not give me details on that error code.
Checkout the related question and answer here. All new users have to first consent the application (agree and give your application permissions to access their profile / or you indicated as required permissions).
In short, you have to design "sign-up" button for your application, which uses the "login_url" and appends "&prompt=consent" to the query string.
Read all related resources here to better understand the consent framework.
And please read the documentation about Azure App Service Authentication/Authorization here, as well as the Azure AD specific documentation here.
OMG, I just found an answer. I created a test app and set it up to mirror the settings of my live app.
In Required Permissions the new app had nothing for Microsoft Graph, the live app had 5 permissions. I deleted Microsoft Graph and it works now!
I wish Microsoft communicated better about discontinued API's. I did get an alert, but it was mostly talking about MS Office 365.

Cannot sign in with local accounts using starterpack

I've downloaded the starter pack and performed all steps as mentioned in the tutorial. I can create accounts but if I log out and want to sign in again I always get the error invalid username or password. Can anyone share any pointers as debugging this is nearly impossible.
I've created several accounts already just to be sure the password was ok.
I've created the keycontainers
I've created the two applications that are needed in the custom policies (web app and native)
I've updated the extension file with the correct id's
yeah if you dont get your client IDS correct you cant log in and then it constantly reports as invalid credentials.
Double check that you are writing the object ids correctly.

CCTray Authorisation Issues

I'm having some authentication issues with CCTray (version 1.6.7981). If I specify an Authorisation Mode of "WinLogin authentication" no projects are listed & my AD account is locked out shortly thereafter.
If I specify "User name/password authentication" then the "Available Projects" list is populated as expected, and I can then select from this list and monitor the builds.
However, there are a couple of issues with the latter authorisation. Firstly, if my pc is rebooted then the following message is displayed against each project:
Error: Project '{project}' not found on server
Secondly (and more importantly), the password specified (which is my AD password) is displayed in cleartext within cctray-settings.xml (default location is C:\Documents and Settings{username}\Application Data.
Ideally I'd like to get the "WinLogin authentication" working. Am I missing something?
To go about this you will need to create a Service Account in Active Directory. In window service(services.msc) look for the CruiseControl.net service and configure it to Log on As. This will prevent clear text login information being passed around.

Resources