I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.
As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster.
I am using .net core 2.1 in service fabric and getting below mentioned exception.
Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details
Visual Studio Token provider can't be accessed at C:\Users\Default\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
VisualStudioCodeCredential authentication failed: A specified logon session does not exist. It may already have been terminated.
Services are likely running under the built-in 'NetworkService' account, which cannot access the CLI for credentials because it has run in your user session.
Try creating machine level environment variables to access the vault:
Create a service principal with a password. Follow steps here to create a service principal and grant it permissions to the Key Vault.
Set an environment variable named AzureServicesAuthConnectionString to RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret. You need to
replace AppId, TenantId, and Secret with actual values from step #1.
Run the application in your local development environment. No code change is required. AzureServiceTokenProvider will use this
environment variable and use the service principal to authenticate to
Azure AD.
Don't forget to restart, so the environment variables are added to all processes.
As the document shows about DefaultAzureCredential, Environment and Managed Identity are deployed service authentication. Azure CLI needs to login with your Azure account via the az login command.
So, Environment and Managed Identity are appropriate for you. For example, Using the environment needs to set Environment Variables first, see here. Then you could create a secret client using the DefaultAzureCredential.
// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new DefaultAzureCredential());
I was able to get this working with with local service fabric development by opening Services.msc on my local development machine and configuring the 'Service Fabric Host Service' to run as my local user account rather than the default local service.
Only then would DefaultAzureCredential work for picking up the Az CLI login.
Related
my connection string in user secret
No problem at local
but is publish and upload in server error
ArgumentNullException: Value cannot be null. (Parameter 'connectionString')
user secrets is only for development and not intended for production.It doesn't encrypt the stored secrets and stored in a JSON configuration file in the user profile directory.
For production , usually you can use JSON file(appsettings.json/appsettings.{Environment}.json), environment variables, and Azure Key Vault(which is recommended), please read below article for more details about configuration providers in asp.net core :
Configuration in ASP.NET Core
It seems the connectionStrings section is not yet configured at production machine. So you must store connection strings into Web.config file at production machine.
Connection Strings and Configuration Files
Besides that, you can protect the configuration by encrypt it using protected configuration.
Encrypting Configuration Information Using Protected Configuration
User secrets used for development security and it doesn't transfer/publish with your app (to GitHub or to IIS), they are stored in your local profile. If you are looking for securing your credentials & sensitive data the better way is to use Azure Key Vault (see Manage User Secrets)
I have created a batch job and created the iorganisationservice object by just adding the service reference.
This works when I run it on visual studio while debugging, but when I copy the exe on the server and run it gives error:
The caller was not authenticated by the service.::Inner Exception::The request for security token could not be satisfied because authentication failed.
At line: contactEntityCollection = client.RetrieveMultiple(fetchExp);
Please help.
Whatever security context the exe is running under on the server will need to be a valid user in CRM. If it's a windows service set the account to a user other than LocalSystem in the services MMC tool. If it's running as a web application set the Application Pool to the dedicated account. If it's a scheduled task set it in the configuration of the task.
You can also specify an instance of the ClientCredential class providing username and password but I'd highly recommend you avoid this route as you'll be responsible for securing the password within your application.
I have a web application that calls an object of a referenced dll/api that calls a wcf service.
Machine 1 = where the wcf service resides
Machine 2 = IIS server, the web application that uses the api that calls the service from Machine 1
My code:
using (WindowsAuthenticationContext ctx = identity.Impersonate()){
//Call to the API goes here
}
When I access the website from Machine 2(IIS Server), It works. But when I access the website from another client machine, it gives me an error "The Request Token Could not be satisfied".
NOTE: The api is already final, and cannot modify it anymore.
Any help would be greatly appreciated.
Thanks
You cannot do NTLM and then Kerberos over multiple hops (servers). You need to use Kerberos to delegate windows authentication over all the hops.
You need to configure SPNS to enable kerberos to delegate authentication across machines.
To configure these, you will have to issue the following commands - assuming you have right to modify AD:
SETSPN -S HTTP/Machine1 ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine1.domainname.com ADDomain\AppPoolCredential1
SETSPN -S HTTP/Machine2 ADDomain\AppPoolCredential2
SETSPN -S HTTP/Machine2.domainname.com ADDomain\AppPoolCredential2
Where ADDomain\AppPoolCredential is the credential of the app pool - note you cannot use Network Service as the app pool credential to get Kerberos delegation to work. You need to use a domain account.
IN AD, you need to enable the following objects for allow Kerberos Delegation:
ADDomain\AppPoolCredential1
ADDomain\AppPoolCredential2
Machine1
Machine2
For more information, see here
NTLM works in the machine with the local security context. If you want to use NTLM over different machines these machines should share the same security context like Active Directory Domain. If your site (where machines are in) does not have the same security context this would not work. You can use client certificate by changing the service's config. Not changing the dll or code.
My web appkication has the following set up..
WCF application hosted on IIS7
Basic HTTP binding - SecurityMode = TransportCredentialOnly and ClientCredentialType = Windows.
.Net 4.0
The app runs in a .Net 4.0 Application Pool using "ApplicationPoolIdentity".
IIS connects to the file system using "Application Pass Through" authentication.
The client and service both run under IIS - that is the client is a webste and the service is an IIS hosted WCF service.
What I would like to understand is that what user accounts are used at the various points in authenticating too and using the service.
I understand that ApplicationPoolIdentity is a built in Windows account that is generated for each created application pool - is this the account under which w3wp.exe will run for the website?
No credentials are specified between clent and server - and this is the most interesting point. When my client connects to my WCF application what identity is used to authenticate to the service. I presume the application pool identity of the app pool hosting client website?
If so then what would happen if the two sites use two differnet app pools?
Or does the service just require a valid account on the machine (or domain) and that is good enough to authenticate?
If I changed the application pool to use a specific user account does this change anything? Again I presume as long as the client passes a valid machine account is that ok?
Also,,,
What identity is used for the file system?
What permissions does "ApplicationPoolIdentity" have on the machine and for the file system.
Finally in the case of SQL Server Integrated security what identity is passed through to SQL server if my service talks to an SQL Server database.
Thanks in advance.
I understand that ApplicationPoolIdentity is a built in Windows
account that is generated for each created application pool - is this
the account under which w3wp.exe will run for the website?
Yes it is. That is called a virtual account which allows IIS to create unique accounts for each defined application pool, also a security identifier is created representing the application pool name. Keep in mind that this is not real user account. For more information about it you can check the following link: http://technet.microsoft.com/en-us/library/dd548356.aspx
No credentials are specified between clent and server - and this is
the most interesting point. When my client connects to my WCF
application what identity is used to authenticate to the service. I
presume the application pool identity of the app pool hosting client
website?
Yes, same rule applies as for using Local Service account or Network Service account.
If so then what would happen if the two sites use two differnet app
pools?
Nothing, unless you elevate the rights of those application pools identities.
Or does the service just require a valid account on the machine (or
domain) and that is good enough to authenticate?
Then you are not going to use the default virtual accounts created for your application pools. Instead you will associate those application pools with existing windows accounts. Keep in mind what sort of permissions those windows/domain accounts have.
If I changed the application pool to use a specific user account does
this change anything? Again I presume as long as the client passes a
valid machine account is that ok?
It would work just fine as long as those accounts will have permissions according to your needs.
What identity is used for the file system?
Define with more details what you mean by file system; are you referring strictly at your application directory?
What permissions does "ApplicationPoolIdentity" have on the machine
and for the file system.
ApplicationPoolIdentity is a member of Users and IIS_IUSRS groups so will "inherit" the permissions of the previously mentioned groups.
Finally in the case of SQL Server Integrated security what identity is
passed through to SQL server if my service talks to an SQL Server
database.
ApplicationPoolIdentity or the account you have configured to be used by your application pool.
When I run my WCF service on my local machine, it works fine. When I deploy the same files to our test server, I get this error when my test client tries to connect to the WCF service:
Security Support Provider Interface (SSPI) authentication failed. The
server may not be running in an account with identity 'host/Server01'.
If the server is running in a service account (Network Service for
example), specify the account's ServicePrincipalName as the identity
in the EndpointAddress for the server. If the server is running in a
user account, specify the account's UserPrincipalName as the identity
in the EndpointAddress for the server.
What does this mean and what area should I be looking to fix? I played around with the web.config identity section, but I'm still unsure what is needed.
I got a similar error before but the message is somewhat different
Right click on the application pool the web site is running under, click on Property then go to the Identity tab. Try to put the "host/Server01" identity in and see if that helps.
This error can also happen for Microsoft Dynamics GP Web Services. In our case, it turns out that the person who set up the GP Web Services used his personal user account as the service account. When he changed his password, it broke the web services.
So, check your user identity and password if your web service used to work but no longer works.