We have a setting defined in our Azure Cloud Service (csdef)
<ConfigurationSettings>
<Setting name="CDN" />
</ConfigurationSettings>
And it's value in the cscfg file
<ConfigurationSettings>
<Setting name="CDN" value="az12345.vo.msecnd.net" />
</ConfigurationSettings>
And in order for to work "outside" of Azure we have this in the web.config
<add key="CDN" value="localcdn" />
When the cloud service is deployed into Azure the value for CDN is "localcdn" and NOT the value that is in the cscfg file "az12345.vo.msecnd.net".
We have other cloud services with exactly the same setting which are resolved correctly, but this service refuses to.
My understanding from https://msdn.microsoft.com/en-us/library/microsoft.windowsazure.cloudconfigurationmanager.getsetting.aspx is that it will get the value from the cscfg when in Azure and web/app.config when it's not.
We are using Microsoft Azure Configuration Manager 3.1.0
Issue caused by Role Environment erroring
Related
I am trying to wire up Azure Key Vault in my ASP.NET (.Net Framework) MVC Web App using Visual Studio 2017 Community 15.7.5 Connected Service targeting .Net 4.7.2.
It adds a configBuilder with the name AzureKeyVault with an attribute called vaultName that throws a "The 'vaultName' attribute is not allowed." warning.
When I run the application I get an error that the configBuilders attribute on the appsetting tag is not good like so:
I am using the following package versions which are all current:
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
There is an update to Microsoft.Azure.Services.AppAuthentication but it is a preview and it caused dependency issues with other packages.
tldr; - you probably don't have the appropriate permissions to access the key vault.
In currently released versions of the .Net framework, detailed errors about config builders are not always easily discoverable in the ASP.NET yellow screen. We have changes in vNext to address this issue, but it is currently a problem for 4.7.1/2. For the time being, if you create a simple console app to read appSettings with the same config builder configuration, you should see more exception information in the stack that gets spit out.
Based on the yellow screen you posted though I would guess (and its really just an educated guess based on past reports and nothing specific in your case) you are running into an authentication issue in the Microsoft.Azure.Services.AppAuthentication library. When running in Visual Studio, that library can use your personal credentials to access the key vault. If deployed in Azure, they use a different magic technology to authenticate the application to the key vault. If you want to eliminate the "magic" and take more control over this, you can specify more detailed connection information with the 'connectionString' attribute. There is more information as well as a link to connection string details on our GitHub page (MicrosoftConfigurationBuilders).
As for the "The 'vaultName' attribute is not allowed." warning... it's just a warning. The .xsd that VS uses to validate configuration was not correctly updated to allow random attributes on configBuilder definitions. We hope to address this in a future VS release around the time that the next framework ships.
Steve Molloy was correct in that the Configuration Error was a red herring. I created a console app and the error messages were much better but they still required some investigation. Here's my Console App Code and packages:
static void Main(string[] args)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider
(azureAdInstance:"https://InsertAADSubscriptionName.onmicrosoft.com/");
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(
"https://InsertKeyVaultName.vault.azure.net", "InsertSecretYouWantBack").GetAwaiter().GetResult();
}
<packages>
<package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
<package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime" version="2.3.13" targetFramework="net472" />
<package id="Microsoft.Rest.ClientRuntime.Azure" version="3.3.15" targetFramework="net472" />
<package id="Newtonsoft.Json" version="11.0.2" targetFramework="net472" />
</packages>
I put a breakpoint on the last bracket and kept looking for my secret value in the variable secret. I kept getting the following error indicating that Azure AD wasn't able to authenticate my local environment and return an access token.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried the following 4 methods to get an access token,
but none of them worked.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Managed Service Identity.
Unable to connect to the Managed Service Identity (MSI) endpoint.
Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Visual Studio.
Access token could not be acquired.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Azure CLI. Access token could
not be acquired. ERROR: Please run 'az login' to setup account.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net,
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Active Directory Integrated
Authentication. Access token could not be acquired. get_user_name_failed:
Failed to get user nameInner Exception : No mapping between account names
and security IDs was done
The problem was that since I was running the app locally I needed to be logged in to Azure CLI locally. To do this: first install Azure CLI on your machine, then go to a CMD or a PowerShell prompt and type az login and follow the instructions returned.
This did the trick; the console app was able to get an access token.
I tried it on my web app in the original question above and it worked as expected.
I am developing a Self-hosted .Net Core Rest API to be hosted in Docker Container in Service Fabric. I am unable to configure to SSL/Https in Service Fabric. Http seems to work. I am using HttpSys as web server, not Kestrel since I read it is not recommended option for services without reverse proxy(like IIS).
Here is the web server code snippet.
return WebHost.CreateDefaultBuilder(args)
.UseApplicationInsights()
.UseStartup<Startup>()
.UseHttpSys(
options =>
{
options.Authentication.Schemes = AspNetCore.Server.HttpSys.AuthenticationSchemes.None;
options.Authentication.AllowAnonymous = true;
}
)
.Build();
Here is ServiceManifest.xml Endpoints snippet.
<Endpoints>
<Endpoint Name="ServiceEndpoint" Protocol="http" Port="80" />
<Endpoint Name="ServiceEndpointHttps" Protocol="https" Port="443" Type="Input" CertificateRef="SSLCertificate" />
</Endpoints>
Here is ApplicationManifest EnvironmentVariable snippet.
<EnvironmentVariable Name="ASPNETCORE_URLS" Value="https://*:443/;http://*:80/"/>
Here is ApplicationManifest.xml Policies snippet.
<Policies>
<ContainerHostPolicies CodePackageRef="Code">
<RepositoryCredentials AccountName="accountname" Password="password" PasswordEncrypted="false" />
<PortBinding ContainerPort="80" EndpointRef="ServiceEndpoint"/>
<PortBinding ContainerPort="443" EndpointRef="ServiceEndpointHttps"/>
</ContainerHostPolicies>
<EndpointBindingPolicy CertificateRef="SSLCertificate" EndpointRef="ServiceEndpointHttps" />
</Policies>
Here is ApplicationManifest.xml Certificates snippet.
<Certificates>
<EndpointCertificate Name="SSLCertificate" X509FindValue="cert thumbprint"/>
</Certificates>
Initially, I had issues with Certificate deployment when I had SSL certificate only in CurrentUser\My Certificate Store. I resolved it after deploying the certificate in LocalMachine\My Certificate Store. With this fix, Service seems to be working only with HTTP protocol in Port 80, not with HTTPS protocol in Port 443.
Service Fabric Explorer doesn't show any error and no errors in Events Log also. I am facing this issue in both Local Service Fabric and in Azure Service Fabric instances.
Any thoughts/pointers on this would be appreciated.
Using Service Fabric for container and https could follow this doc.
It will inject the certificate into the container as environment variables.
But for linux clusters, there is a problem. The Certificates_ServicePackageName_CodePackageName_CertName_PEM and Certificates_ServicePackageName_CodePackageName_CertName_PrivateKey represented files are having the exact same content.
I'm waiting for the Azure China supporter for further clarification on this, not sure if it's a China specific problem.
I recently created a Powershell script that deploys my Web Application (ASP.NET MVC) to Azure. It works like it should, but I figured out that it would improve the script a lot by being able to change the endpoint in the Web.config file during deployment, i.e. the script prompts the user for the address. The Web.config section looks like this:
<system.serviceModel>
<client>
<endpoint address="http://localhost:10421/MyService" binding="binding" bindingConfiguration="foo" contract="bar" name="id" />
</client>
</system.serviceModel>
I would like to change the endpoint address with my script.
Use the Get-Content cmdlet to load your configuration file, access the property and change it and finally write it back using the Set-Content cmdlet:
[xml]$content = (Get-Content 'your_file')
$content.configuration.'system.serviceModel'.client.endpoint.address = 'YourNewAdress'
$content | Set-Content 'your_file'
Note: I asume that the system.serviceModel is within the configuration node. If not, omit that.
I have a project that uses a combination of these tools:
==================================
Azure website
Azure Blob
Azure CDN
UmbracoAzureBlobStorage - 1.0.10.5 - https://github.com/idseefeld/UmbracoAzureBlobStorage
WindowsAzure.Storage - 4.3.0
Umbraco - 7.2.5 assembly: 1.0.5610.18894
idseefeld.de.UmbracoAzure - 1.0.0.0
https://our.umbraco.org/projects/backoffice-extensions/azure-blob-storage-provider/
==================================
config/FileSystemProviders.config
<FileSystemProviders>
<!-- Media -->
<Provider alias="media"
type="idseefeld.de.UmbracoAzure.AzureBlobFileSystem, idseefeld.de.UmbracoAzure">
<Parameters>
<add key="containerName" value="media" />
<add key="rootUrl" value="http://az739977.vo.msecnd.net/" />
<add key="connectionString" value="DefaultEndpointsProtocol=https;AccountName=XXX;AccountKey=XXX" />
</Parameters>
</Provider>
</FileSystemProviders>
==================================
The file upload is working as expected at start. But after sometime, and of course few uploads, it looks like our files are deleted from the blob and the CDN cannot serve them anymore.
Is there something I'm missing? I have almost the same configuration in another project and it's working as expected. I tried reinstalling the whole thing but the problem occurs everytimes.
https://our.umbraco.org/projects/backoffice-extensions/azure-blob-storage-provider/ show us configuration that point directly to the blob, not the CDN as I do. Should I take a look at this?
Uninstall-Pacakge UmbracoAzureBlobStorage
Uninstall-Package idseefeld.de.UmbracoAzure
Install-Package UmbracoAzureBlobStorage
Solved the problems. The project referenced the "idseefeld" DLL. It was kinda weird.
I'm trying to get Elmah working under ASP.NET MVC and I thought I had.
I used the very convenient Elmah MVC project which automatically setup my web.config file.
Now if I run the project under IIS Express then Elmah works just perfectly.
I can access it with the correct Authorisation and the logs are stored in my SQL Database.
However when I try and run it under IIS 7.5 I get an:
An HTTP 500.19 Internal Server error
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x800700b7
Config Error Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to 'ErrorLog'
Config File web.config
Config Source:
111: <modules>
112: <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
113: </modules>
I'm baffled as to why this might be. As a test I've created a brand new clean MVC project and it reacts exactly the same way.
do a
<remove name="ErrorLog"/>
before the
<add />
to get rid of any default defined entries named ErrorLog in the modules section of your web.config file.