Recently after creating a site with Virtual Machines sitting on a Vnet on the application Gateway , I could not add this subnet to be routable from the Virtual Network Gateway

The solution is to use Vnet peering to create a new subnet for the Virtual network gateways and peer this with the Application Gateway subnet 

You then need to enable Remote Gateways per below , so VPN clients can route to the Application Gateway Subnet via a route :

Connect two or more Azure Virtual Networks using one VPN Gateway – Apostolidis Cloud Corner (e-apostolidis.gr)

• No Comments

Recently we had moved some onpremise Server 2016 machines to Azure using ASR. When trying to activate them using the Microsoft steps

• cscript c:\windows\system32\slmgr.vbs /dlv
• cscript c:\windows\system32\slmgr.vbs /ipk WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY
• cscript c:\windows\system32\slmgr.vbs /ato

It did not work, we had to use Automatic Virtual Machine Activation (AVMA)

1. slmgr /ipk C3RCX-M6NRP-6CXC9-TW2F2-4RHYD
   

• No Comments

AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" | summarize count() by ruleId_s, bin(TimeGenerated, 1m),requestUri_s | sort by TimeGenerated desc 

• No Comments

I got deployment failed when trying to change a SQL servers License from Express to Developer.

I checked the Server and it had developer license installed on SQL

Looking at the JSON

• No Comments

Login to Azure Active Directory. Locate Usage & insights , under Monitoring

Select “Users registerd for Multi-Factor Authentication”

Can also be done in powershell : https://dirteam.com/sander/2020/05/14/todo-optimize-the-azure-multi-factor-authentication-methods-used-throughout-your-organization/

Monitoring with PowerShell: Monitoring the used MFA type for O365/Azure.

• No Comments

Run Locally

Test and Download App

#Downloads the Docker File from Dock Hub

dock pull %dockerusername%/%dockername%:latest 

#Runs the Docker File on port 80 if the container is active on port 3000 ( Test go to http://localhost ) 

docker run -p 80:3000 %dockerusername%/%dockername%:latest

#List current dockers running

docker ps -a

#Stop the container by id ( found from above )

docker stop ad5b49ba5476

#Clear Stopped Containers

docker container prune

Upload App to Azure

**Create an Azure Container or reuse an existing one** 

**Run the below in Azure Shell**

#Show credentials for login and save username and password

az acr credential show --name %azurecontainer%

**Run on Docker PC**

#Login to Azure Docker

docker login %azurecontainer%.azurecr.io --username name %azurecontainer%

#Tag docker for upload

docker tag %dockerusername%/%dockername% name %azurecontainer%.azurecr.io/%dockername%:latest

#Push Docker to Azure

docker push name %azurecontainer%.azurecr.io/%dockerusername%/%dockername%:latest

Run in Azure

#Create Azure Service plan

az appservice plan create --name %serviceplanname% --resource-group %azureresourcegroup% --sku S1 --is-linux

#Add Docker App to Azure Service Plan

az webapp create --resource-group %azureresourcegroup% --plan %serviceplanname% --name %appname% --deployment-container-image-name %azurecontainer%.azurecr.io/%dockername%:latest

#Set the details to access the Docker

az webapp config container set --name %appname% --resource-group %azureresourcegroup% --docker-custom-image-name %azurecontainer%.azurecr.io/%dockername%:latest --docker-registry-server-url https://%azurecontainer%.azurecr.io --docker-registry-server-user %azurecontainer% --docker-registry-server-password %passwordfromshowcredential%

#Make the app live on its specific port e.g. 3000

az webapp config appsettings set --resource-group %azureresourcegroup% --name %appname% --settings WEBSITES_PORT=3000

Test the app

http://%appname%.azurewebsites.net/

• No Comments

• Install a new NPS Server ( cannot be existing as MFA will take over existing requests such as Wifi! ) 
• Installed Azure AD NPS Plugin and Enroll in Azure AD
• Add a Radius Client to the NPS server of the IP ( VIP ) of the Netscaler 
• Add the Radius server in Authentication – Set Timeout to 10Seconds , set Password to MsChapv2 Set NASID to MFA
• NPS Server Policies

• No Comments

VERBOSE: PowerShell meta provider initialization failed.
VERBOSE: PowerShell meta provider initialization failed.
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name
‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7302 char:25
+ …     $null = PackageManagement\Import-PackageProvider -Name $script:Nu …
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProv
   ider

Run this before

To enabled TLS 1.2,  you may need to run this before

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

• No Comments

Trying to diagnose an issue of a reason why an NPS server would not let a user in and come back with Access-Reject produces the following Reason in the event log

An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

I recommend

Disable NPS MFA Extension

1. Stop the Network Policy Server Service
2. Create a backup of the key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters’
3. Remove the values inside this key (DO NOT Remove the Parameters key itself)
4. Start the Network Policy Server Service

To Re-Enable the NPS MFA Extension

1. Stop the Network Policy Server Service
2. Import the backup of the key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters’
3. Start the Network Policy Server Service

You can always uninstall  NPS Extension for Azure MFA Plugin 

Retrying the access which should give you some better reason in the event log e.g. The RADIUS request did not match any configured connection request policy (CRP).

Once this is fixed you can reinstall the Plugin and re-authenticate it

• No Comments

 If you host your Azure MFA User Portal outside of your MFA Server e.g. in a DMZ , the User portal server has to speak to this MFA server via SSL using the SDK and also via a certificate. Make sure the SSL of you MFA server is valid. It might be self signed internally on that server ( cannot be from the domain as the DMZ server can’t speak to your domain ) so you need to create a new one and transfer it securely to the User portal and install it on the Trusted Root Authority 

System.Security.Authentication

This certificate cannot be verified up to a trusted certification

• No Comments