Posts Tagged ‘Azure’

I got deployment failed when trying to change a SQL servers License from Express to Developer.

I checked the Server and it had developer license installed on SQL

Looking at the JSON

{
    “status”: “Failed”,
    “error”: {
        “code”: “ResourceDeploymentFailure”,
        “message”: “The resource operation completed with terminal provisioning state ‘Failed’.”,
        “details”: [
            {
                “code”: “MismatchSqlVmSku”,
                “message”: “The SQL sku provided is ‘Developer’ which does not match the sku installed in the virtual machine ‘Express’. Make sure to provide the correct sku type.”
            }
        ]
    }
}
 
Its because there was an old version of SQL express installed , removing this fixed the issue
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Login to Azure Active Directory. Locate Usage & insights , under Monitoring

Select “Users registerd for Multi-Factor Authentication”

 

 

Can also be done in powershell : https://dirteam.com/sander/2020/05/14/todo-optimize-the-azure-multi-factor-authentication-methods-used-throughout-your-organization/

Monitoring with PowerShell: Monitoring the used MFA type for O365/Azure.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Run Locally

Test and Download App

#Downloads the Docker File from Dock Hub

dock pull %dockerusername%/%dockername%:latest 

#Runs the Docker File on port 80 if the container is active on port 3000 ( Test go to http://localhost ) 

docker run -p 80:3000 %dockerusername%/%dockername%:latest

#List current dockers running

docker ps -a

#Stop the container by id ( found from above )

docker stop ad5b49ba5476

#Clear Stopped Containers

docker container prune

Upload App to Azure

**Create an Azure Container or reuse an existing one** 

**Run the below in Azure Shell**

#Show credentials for login and save username and password

az acr credential show --name %azurecontainer%

**Run on Docker PC**

#Login to Azure Docker

docker login %azurecontainer%.azurecr.io --username name %azurecontainer%

#Tag docker for upload

docker tag %dockerusername%/%dockername% name %azurecontainer%.azurecr.io/%dockername%:latest

#Push Docker to Azure

docker push name %azurecontainer%.azurecr.io/%dockerusername%/%dockername%:latest

Run in Azure

#Create Azure Service plan

az appservice plan create --name %serviceplanname% --resource-group %azureresourcegroup% --sku S1 --is-linux

#Add Docker App to Azure Service Plan

az webapp create --resource-group %azureresourcegroup% --plan %serviceplanname% --name %appname% --deployment-container-image-name %azurecontainer%.azurecr.io/%dockername%:latest

#Set the details to access the Docker

az webapp config container set --name %appname% --resource-group %azureresourcegroup% --docker-custom-image-name %azurecontainer%.azurecr.io/%dockername%:latest --docker-registry-server-url https://%azurecontainer%.azurecr.io --docker-registry-server-user %azurecontainer% --docker-registry-server-password %passwordfromshowcredential%

#Make the app live on its specific port e.g. 3000

az webapp config appsettings set --resource-group %azureresourcegroup% --name %appname% --settings WEBSITES_PORT=3000

Test the app

http://%appname%.azurewebsites.net/

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
  • Install a new NPS Server ( cannot be existing as MFA will take over existing requests such as Wifi! ) 
  • Installed Azure AD NPS Plugin and Enroll in Azure AD
  • Add a Radius Client to the NPS server of the IP ( VIP ) of the Netscaler 
  • Add the Radius server in Authentication – Set Timeout to 10Seconds , set Password to MsChapv2 Set NASID to MFA
  • NPS Server Policies

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

VERBOSE: PowerShell meta provider initialization failed.
VERBOSE: PowerShell meta provider initialization failed.
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name
‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7302 char:25
+ …     $null = PackageManagement\Import-PackageProvider -Name $script:Nu …
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProv
   ider

 

Run this before

 

To enabled TLS 1.2,  you may need to run this before

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to diagnose an issue of a reason why an NPS server would not let a user in and come back with Access-Reject produces the following Reason in the event log

An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

I recommend

Disable NPS MFA Extension

  1. Stop the Network Policy Server Service
  2. Create a backup of the key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters’
  3. Remove the values inside this key (DO NOT Remove the Parameters key itself)
  4. Start the Network Policy Server Service

To Re-Enable the NPS MFA Extension

  1. Stop the Network Policy Server Service
  2. Import the backup of the key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters’
  3. Start the Network Policy Server Service

 

You can always uninstall  NPS Extension for Azure MFA Plugin 

Retrying the access which should give you some better reason in the event log e.g. The RADIUS request did not match any configured connection request policy (CRP).

Once this is fixed you can reinstall the Plugin and re-authenticate it

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 If you host your Azure MFA User Portal outside of your MFA Server e.g. in a DMZ , the User portal server has to speak to this MFA server via SSL using the SDK and also via a certificate. Make sure the SSL of you MFA server is valid. It might be self signed internally on that server ( cannot be from the domain as the DMZ server can’t speak to your domain ) so you need to create a new one and transfer it securely to the User portal and install it on the Trusted Root Authority 

System.Security.Authentication

This certificate cannot be verified up to a trusted certification

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

 

Azure Single Sign-On 

Identifier (Entity ID): https://imanage.domain.com

Reply URL (Assertion Consumer Service URL): https://imanage.domain.com/api/v1/session/saml-login 

Download Certificate file (.cer) and store on iManage server e.g. C:\SSL\

HIVE: HKLM\SOFTWARE\Interwoven\WorkSite\imDmsSvc 

 

SAML Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 

SAML Endpoint: https://myapps.microsoft.com/signin/iManage%20SAML/xxxxxxx-xxxxxx-xxxx

SAML Key File: C:\SSL\iManageSAML.cer 

SAML Logout Endpoint: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 

SAML Web RP: https://imanage.domain.com

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)