I have the following situation: My azure application consists of 5 roles. One of those roles hosts the Autoscale block from Enterprise Library. This role is responsible for scaling the others up and down.
Now I followed the tutorial and added the Autoscale settings to the app.config and also added the services.xml and rules.xml.
The problem is that the autoscale logger (which works!) outputs this error over and over again:
Could not retrieve the instance count for hosted service with DNS
prefix 'myCloudApp'.
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClientException:
The service configuration could not be retrieved from Windows Azure
for hosted service with DNS prefix 'myCloudApp' in subscription id
'xxxxxxxxxxxxxxxxxx' and deployment slot
'Production'. --->
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.Security.CertificateException:
The certificate with thumbprint
'xxxxxxxxxxxxxxxxxxxxx' in store name 'My' and
store location 'LocalMachine' could not be found. at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.Security.CertificateHelper.FindCertificate(StoreName
certificateStoreName, StoreLocation certificateStoreLocation, String
certificateThumbprint, Boolean withPrivateKey, Boolean validOnly) at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClient.CreateFactory(StoreName
certificateStoreName, StoreLocation certificateStoreLocation, String
certificateThumbprint, Inspector inspector) at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClient.CallOperation[TResult](Func2
call, StoreName certificateStoreName, StoreLocation
certificateStoreLocation, String certificateThumbprint, String
exceptionMessage, String& requestId) --- End of inner exception stack
trace --- at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClient.CallOperation[TResult](Func2
call, StoreName certificateStoreName, StoreLocation
certificateStoreLocation, String certificateThumbprint, String
exceptionMessage, String& requestId) at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClient.GetDeployment(String
hostedServiceDnsPrefix, String subscriptionId, DeploymentSlot
deploymentSlot, StoreName certificateStoreName, StoreLocation
certificateStoreLocation, String certificateThumbprint) at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClientExtensions.GetDeployment(IServiceManagementClient
client, HostedService hostedService) at
Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.DataPointsCollection.RoleInstanceCountDataPointsCollector.Collect(DateTimeOffset
collectionTime)
I replaced the actual thumbprint and subscription id with xxxxx.
I dont understand why it cannot access my cloud services. Do I need to do anything to this certificate?
Help is greatly appreciated!!
Did you actually upload the pfx (private key side) of the management certificate? This error indicates it cannot find the cert installed on the machine.
http://msdn.microsoft.com/en-us/library/windowsazure/gg465712.aspx
Related
We have an app service that needs to access a key vault on Azure. We have 2 subscriptions, and this is working fine in one of them. The other one is new and we're getting this error (C# code in app service):
Microsoft.Azure.Management.ApiManagement.Models.ErrorResponseException:
Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.Management.ApiManagement.CertificateOperations.DeleteWithHttpMessagesAsync
(String resourceGroupName,
String serviceName,
String certificateId,
String ifMatch,
Dictionary`2 customHeaders,
CancellationToken cancellationToken)
at Microsoft.Azure.Management.ApiManagement.CertificateOperationsExtensions.DeleteAsync
(ICertificateOperations operations,
String resourceGroupName,
String serviceName,
String certificateId,
String ifMatch,
CancellationToken cancellationToken)
We already compared pretty much all resources, settings, keys, permissions, access policies, managed identities, everything that we think could be causing this issue, but it is still not working. The code is the same, so it does not come from there. Must be something obvious but this error message does absolutely not tell us what the root cause is.
Anyone could point us to the setting we're missing? If this is related to the account running the app service, how/where can we know what the account is on Azure?
In our case, the issues were:
Client certificates were actually stored in APIM and not in KV.
Service needed API Management Service Contributor permission instead of Contributor to be able to perform operations on the certificates stored in APIM.
Documentation:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Contributor
-> Grants full access to manage all resources
API Management Service Contributor
-> Can manage service and the APIs
Here is how I instantiate the client in my Configure method:
services.AddSingleton<ServiceBusClient>(x => new ServiceBusClient(configuration.GetSection("ServiceBus:ConnectionString").Value, serviceBusClientOptions));
And this how my appsettings looks like:
{
"ServiceBus:ConnectionString": "#Microsoft.KeyVault(VaultName=MyVaultName;SecretName=MySecretName)"
}
However, I am getting the following exception:
The connection string used for an Service Bus client must specify the Service Bus namespace host and either a Shared Access Key (both the name and value) OR a Shared Access Signature to be valid. (Parameter 'connectionString'
What am I missing here?
Have you created a managed identity for you application and added access policies such that your app can GET this secret value from key vault?
Check out the official documentaion for this here : https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Also on a side note, have you tried directly adding the secret value as the appsetting value instead of referencing it from KV and see if that worked? (if yes then definitely its a permissions issue and NOT a problem with your C# app code.
The ITFoxtec Identity SAML 2.0 library contains a function to bind the request that extracts private key from signing certificate.
if(certificate is Saml2X509Certificate)
{
return (certificate as Saml2X509Certificate).GetRSAPrivateKey();
}
else
{
return certificate.GetRSAPrivateKey();
}
It works on local machine but on azure, it is giving the following error.
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean
randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters
parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle&
safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters
parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
at ITfoxtec.Identity.Saml2.X509Certificate2Extensions.GetSamlRSAPrivateKey(X509Certificate2 certificate)
at ITfoxtec.Identity.Saml2.Saml2Binding1.BindInternal(Saml2Request saml2RequestResponse)
at ITfoxtec.Identity.Saml2.Saml2RedirectBinding.BindInternal(Saml2Request saml2RequestResponse, String messageName)
at ITfoxtec.Identity.Saml2.Saml2Binding1.Bind(Saml2Request saml2Request) .
Not sure whether it is saml library issue or azure configuration issue since it works on local machine.
I am using the certificate provided in the test webapp example. So, it doesn't look corrupted.
Does anyone know the reason behind this?
If you are using an Azure App Service, maybe the problem is that you need to make the SSL/TLS certificates private key accessible for your web application.
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application.
I have an Azure accounts and I want to make deployment of ARM templates using the ASP.NET libraries. I've noticed that in the Azure Portal generated Deployment class (in the DeploymentHelper.cs file that I've downloaded from the Portal) I have the following fields that I need to provide my own data:
string subscriptionId = "your-subscription-id";
string clientId = "your-service-principal-clientId";
string clientSecret = "your-service-principal-client-secret";
string resourceGroupName = "resource-group-name";
string deploymentName = "deployment-name";
string resourceGroupLocation = "resource-group-location";
string pathToTemplateFile = "path-to-template.json-on-disk";
string pathToParameterFile = "path-to-parameters.json-on-disk";
string tenantId = "tenant-id";
I'm having a hard time with these:
string clientId = "your-service-principal-clientId";
string clientSecret = "your-service-principal-client-secret";
I know that the subscriptionId I can get in the Subscriptions blade. I also know that the tenantId I can get in the Azure Active Directory > Properties blade under the Directory ID field.
I have followed this documentation page in order to try and set up an App Registration on Azure Active Directory, which I've read is what I need to obtain the cliendId and clientSecret values. I think it's worth mentioning I have no experience whatsoever with Active Directory or Azure Active Directory.
When following the docs my first issue is with this blade:
I don't know what I should put in the "Sign-on URL" field. I've tried filling it with my personal website just because it's required (probably my first mistake). Then with the Registered App I go in "Application ID" and use the value as clientId within my code.
I then generate the key in the "Settings" blade and use it as the clientSecret within my code.
However when I run my code I get the following error:
Exception thrown: 'Microsoft.Rest.Azure.CloudException' in System.Private.CoreLib.dll
An exception of type
'Microsoft.Rest.Azure.CloudException' occurred in System.Private.CoreLib.dll but was not handled in user code
Operation returned an invalid status code 'Forbidden'
I wouldn't want to do any fancy Azure AD set up in order to make deployments via Azure. I'm trying this on my personal account, so it's not like a have an AD environment set up.
I don't know what I should put in the "Sign-on URL" field. I've tried filling it with my personal website just because it's required (probably my first mistake).
If you develop a WebApplication, you could Webapplication address it as sign-on url. In your case your could add a vaild url address. And you could add your personal website.
Operation returned an invalid status code 'Forbidden'
It means that you have no access to deploy the resource to the subscription.
You need to assgin role to the WebApplication. For more information, refer to how to registry an Azure AD application and assigin role.
I have a .NET Core application that I'm trying to deploy to Azure App Service. When I deploy and try to load the site I'm getting a 502.5 error response. From what I've read that means it's a permissions issue. I've tried printing the logs with stdout, but while it physically creating the log files, they are all empty.
So I started eliminating the problem by commenting out code. On ConfigureServices I'm loading a certificate:
var certificate = new X509Certificate2("mycertificate.pfx", "**********");
If I comment out this line, then the application loads. Once returned it gives the error again.
From console in the Azure portal I've tried giving mycertificate.pfx permissions using chmod 777 mycertificate.pfx, but it didn't seem to have any affect.
I'm not sure if the problem is loading that specific file or using X509Certificate2 at all.
How can I set it up to work?
How can I set it up to work?
1.Upload pfx Certificate to the Azure with azure portal. It is required service plan B or above. How to change service plan please refer to this document
Add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application.
You can have multiple comma-separated thumbprint values or can set this value to “ * “ (without quotes) in which case all your certificates will be loaded to your web applications personal certificate store
3.Access from WebApp
using System;
using System.Security.Cryptography.X509Certificates;namespace UseCertificateInAzureWebsiteApp
{
class Program
{
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
}
}
We could get more info from document.