Credentials rejected by remote desktop to Windows Azure Web Role - azure

I have created a Cloud project on VS 2012 with .net 4.5. This consists of two web roles, an API and an front end website.
I have followed the instructions here: http://msdn.microsoft.com/en-gb/library/windowsazure/gg443832.aspx in order to set up remote desktop, and deployed the service.
When I try to connect (I have double and triple checked the credentials), I get told that 'The credentials that were used to connect to did not work. Please enter new credentials.
My web roles are both operational, and I can visit them both in the browser.
I have tried waiting a while after deploying for changes to propagate, but this makes no difference. The only thing I can think of is that I have not done anything with certificates as of yet other than download the appropriate bits in order to deploy from visual studio. I can't find any documentation that says I need to though.
I have also tried out adding various domains to the username but nothing works.
Am I missing something, or is there a chance that there is a bug with azure at the moment?
EDIT: Have now tried deleting the cloud project from visual studio, deleting the cloud service in azure and redeploying with only a single web role. Still seeing the problem.

Just checking for completeness,
Did you use the button on the website for your first access?
http://blogs.msdn.com/b/avkashchauhan/archive/2011/04/03/how-to-login-into-windows-azure-virtual-machine-using-remote-desktop.aspx
On the other hand, this is the link that worked for us, it includes how to set up the cert needed too.
http://geekswithblogs.net/MagnusKarlsson/archive/2012/12/03/connect-to-running-web-role-from-remote-desktop-connection-and.aspx

I fixed this by removing the <Import moduleName="RemoteAccess" /> and <Import moduleName="RemoteForwarder" /> lines from the .csdef then removing all references to Microsoft.WindowsAzure.Plugins.RemoteAccess and Microsoft.WindowsAzure.Plugins.RemoteForwarder within the .cscfg files. I then was able to deploy and enable remote desktop access from the newer Azure portal.

After adding users to the Azure Active Directory Domain, (e.g. smith#mydomain.onmicorosft.com), I tried logging in as one of those users, but got "Your credentials did not work." After some trial and error, I found that I had to add the users (e.g. smith) as local users on the VMs. Once I did that, and assigned, passwords, the users could RDP in.

Related

Web Deploy from a new computer

I got a new computer and I'm trying to publish my website through web deploy in Visual Studio from the new computer but it keeps saying failed due to unauthorized user. I'm using the same visual studio account, the same password. Everything else is identical to what it looks like in the old computer.
Is there something on the azure website that I need to update to allow a new computer to publish? Is the password different from the username/password I login to get into azure portal? There seem to be a lot more **** in my old computer's password input than what's required. I just assumed that it at some point did that for security purposes.
This is the error I get when going to Settings in the publishing window in Visual Studio and when I click Validate Connection:
Connect to the remote computer ("website name" using the Web
Management Service, but could not authorize. Make sure that you are
using the correct user name and password, that the site you are
connecting to exists, and the credentials represent a user who has
permissions to access the site. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.
The remote server returned an error: (401) Unauthorized.
Is there something on the azure website that I need to update to allow a new computer to publish?
No.
Is the password different from the username/password I login to get into azure portal?
Its not different. Its the same.
I have noticed that sometimes, even with everything being correct from our side, VS web deploy to Azure simply may not work. It could a simple connection issue from VS to Azure, in terms of authentication and no fault of yours.
I don't know why VS is giving authentication error, but as an alternative, you could, deploy your site locally to a folder in Visual Studio. Then, deploy the site manually to your site via FTP.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-deploy
In the long run, you will come to trust FTP deploy than VS deploy which is simply too much of a hassle.

Can't hit NuGet server hosted on an Azure website from Visual Studio, but can from web

My problem is that I have a NuGet server on an Azure website using Azure AD for auth. It works as expected if I hit the NuGet URL in Chrome (requires the login, which accepts appropriate credentials), but if I try to access it in Visual Studio 2013 (through manage NuGet packages) it won't accept the account/password as appropriate credentials (the prompt just pops up again). My approach was as follows:
With the goal of creating a simple internal NuGet server, I largely followed the instructions in this article to deploy one on an Azure website: http://www.codeproject.com/Articles/872230/Create-Your-Own-Private-NuGet-Server-in-Windows-Az
The NuGet server works just fine, but I wanted to add some basic auth since we'll be hosting some of our code there. I decided to try to use Azure AD for this. I added a couple Microsoft accounts (mine and a coworker's) to our otherwise empty default Azure active directory. Through the management portal, I then selected the 'configure' tab in the website dashboard and added the default directory in the auth section.
Since the developers who will be pulling down our packages will do so through Visual Studio, I need to figure this out or find an alternative. I would like (if possible) to avoid writing my own auth module, since this feature is supposed to be baked into Azure.
It turns out that NuGet does not currently support Azure AD. However, they are working on it and progress can be tracked here: https://github.com/NuGet/Home/issues/708

Azure Tools for VS - can't sign in to subscription

I'm having a pretty strange issue with Azure tools for VS 2013 (version 2.6). Whenever I try to sign in to my Azure subscription (e.g. from Server explorer or creating a new web role project) I get the following error:
Server Explorer
An error occurred during the sign in process: User 'foo#gmail.com' returned by service does not match user 'bar#outlook.com' in the request
OK
My subscription owned by 'bar#outlook.com' and I can perfectly fine sign in either to management portal in a browser (IE, Spartan and Chrome) - as well as in the Power Shell. Tried everything - cleaning up browser caches/cookies, resetting IE settings, playing with different IE security settings - nothign works.
Any help is appreciated - this issue drives me crazy.
P.S. I'm on Windows 10...
I had the same problem. Imported the certificate manually and everything worked ok: https://social.technet.microsoft.com/Forums/en-US/9cdafeb4-f459-436d-b2b8-9bc5c01f0df1/azure-tools-for-vs-cant-sign-in-to-subscription?forum=windowsazuredevelopment
I had this issue, to resolve it I:
Added 'foo#gmail.com' as an alias in my 'bar#outlook.com' Microsoft account, via account.live.com
Made the 'foo#gmail.com' email address the primary alias for my Microsoft account
I could then log in successfully in to Azure by pressing the Connect to Microsoft Azure button in the toolbar of the Server Explorer in Visual Studio 2013 and see all of my websites under the App Service node.
(When I'd used the certificate method described in the other post and Microsoft documentation I'd been able to see all my sql databases etc. but not the websites.)
Once I'd done all that I then switched my primary alias back to 'bar#outlook.com' and server explorer carried on working.
NB: If you're experimenting with this beware that there is a limit on how many times you can switch your primary.. as I have just discovered.. and now my primary is stuck on the wrong email address for a week.
NB2: If your connecting in order to be able to remote debug the website, then this can still be done by going to Visual Studio>Main Menu>Debug>Attach To Process, and then enter the URL of the site (without the http bit, e.g. mysite.azurewebsites.net) as the Qualifier and then attach to the w3wp.exe process.
I am having the exact same issue. It seems that the Azure sign-in in Visual Studio is redirecting to our organizational Single Sign-On instead of the Microsoft one. I have managed to work around this problem by using a Microsoft account that is not tied to my organization:
Create new Microsoft account or use an existing account not associated with your organization
In https://manage.windowsazure.com select Subscriptions/Manage Administrators
Choose Add+ and add the new Microsoft account as administrator to your subscription
Log on to Azure using the new account from Visual Studio
/Morten
I changed my Microsoft account's email address and had this problem. Adding an alias did not help.
The problem is to do with the Azure Active Directory Library for DotNet. For whatever dumb reason, they throw an exception when Azure returns an ID different than the one requested (if the server isn't crying about it, why make up an error and make the client deal with it?).
Since Azures's support was no help, I had to build a custom copy of the ADAL with that moronic exception removed and an assembly version matching the one used in VS2013 (2.11). Also importantly, disable strong name verification for the custom assembly.

How to get .publishsettings for Web Deployable Web Role?

I enabled the Web Deploy feature for my Web Role and deployed it.
But how can I get hold of the .publishsettings file so I can create a Publishing Profile for it?
This 2 year old article states that it should have been created automatically, but I haven't got that in my profile manager.
Any ideas?
If you are using Visual Studio 2012 or greater, the server explorer to the left will have several Azure items.
Specifically the Windows Azure Compute is what we are looking for, right click on that and say 'add deployment environment'. You will then be prompted with a dialog that allows you to sign in and download publish settings file:
You can get publishsettings file from the following link: https://windows.azure.com/download/publishprofile.aspx
Well, the problem was really behind the keyboard.
So the publishing profile is actually provisioned correctly and automatically to the Web project as the documentation states.
The problem and confusion was that I have a secondary web application in my Solution that I also publish to the same Web Role (referenced as an additional Site in the ServiceDefinition.csdef file).
That Web Project does not get the Publishing Profile, and when I try to create a profile manually, it doesn't work since that (secondary) IIs instance is not configured for Web Deployment.
Oh well, back to the tedious Cloud Service deployment it is...

X509Certificate2.Verify() returns true in console app, false in asp.net web app

I've a feeling it's something to do with the permissions of the AppPool but as this app is hosted in Azure it's not possible to change that.
My code works in a console app and when the AppPool is set to run as a user (myself). It fails to run when the AppPool is set to run as ApplicationIdentity and when the service is hosted in Azure (I'll post the code if requested, but I don't think that's where the problem lies).
It doesn't matter whether I load the certificate from a store, from a file, or from a byte array. The results are the same.
I don't know what information will be helpful in diagnosing this but it appears that the chain/path doesn't load under the reduced privileges. Calling .Verify() returns true in the console app (and IIS running as my user) and false under ApplicationIdentity.
The certificate appears to load normally and contains a private key in both circumstances.
It turns out my problem was the same listed in this question. I needed to set my certificates up so that some of them were in the CA and Trust section so that the chain was built correctly.
I had all of the certificates installed but it would appear that the location of the certificate is important as well, and it was nothing to do with security or which user was logged on at all!
You can change almost anything in Azure. It is full IIS (if you are not upgrading from SDK 1.3 or earlier) by default. There are couple of options to try:
(This one is wrong! Noted by Steve Marx)Try jus trunning the application (in this case IIS AppPool) in Elevated mode. That will make AppPool running under "SYSTEM" account, instead of AppPoolIdentity. You can do that by adding a <runtime executionContext="elevated" /> element in your role definition in .CSDEF file.
You can enable remote desktop to all your roles. That will effectively create an account in your role instance and add it to the Administrators group. Then you can use a startup task and powershell script to change AppPool identity to use that account instead: A blog post by Wade Wegner on how to programatically change AppPool Identity.
Well, these all are ways to make your application pool runs in Elevated mode, but also show that you can do pretty much everything with IIS on your Windows Azure Instance. I suggest to use site runing in elevated mode only for testing purposes. First make your code run in restricted account on local IIS. Then see what you changed to make it wokrk locally and apply these changes on the Azure Web Role.
EDIT
Another thing to pay attention is that in order .Verify() to work, you must have the Root Certificate of the CA that issued the checked certificate, installed on the web role. This can be done via adding the Root CA Certificate as a "Service Certificate" from the management portal. Also, the CA that issued the checked certificated must be trusted.

Resources