We are using EV2 to deploy ARM template for creating VNets (e.g., vnet-prod-v0), and got below deployment failure today, which breaks our release pipelines:
Error: Code=InvalidResourceName; Message=Resource name is invalid. The name can be up to 80 characters long. It must begin with a word character, and it must end with a word character or with ''. The name may contain word characters or '.', '-', ''.
This there a new VNet naming rule created? Because this rule is not listed in your documentation: https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network#create-a-virtual-network
I have faced a similar issue when I edit my application gateway trust root cert name on the Azure portal. I also have edited Azure VNet name without any such error in the Azure portal. I don't believe the Azure Virtual network name has a new naming convention, see naming rules and restrictions about the network. Perhaps, the error message is coming from other resources' name instead of Azure Vnet name.
Related
I setup a peer-to-peer replication topology on 2 IBM LDAP servers (Version 6.4). It works, both ways, with simple attribute modifications like changing description or displayName attributes. But it blocks when I add a new entry on either server. I checked the logs and see an error 50 (insufficient access) for the change. The audit logs show an "extra" operational attribute, ibm-entryuuid, are added to the other server, which maybe causes the error.
It also blocks when I try to login on an account with an invalid password. I get an error 65 (object class violation). This is maybe because the password policy mechanism modifies/adds/deletes certain operational attributes(e.g. PWDFAILURETIME)
The schema files are the same for both servers. And both servers are cryptographically synched.
I use JXplorer to test. I use admin credentials.
What should I do to allow these operations to replicate? Thanks in advance for any help.
Update:
I have checked the supplier credentials and when I tried to change the ibm-slapdmasterdn and ibm-slapdmasterpw, I get an Already Exists error. What do I do?
I found the problem. I didn't quite understand what the credentials attributes meant until I re-read the IBM tutorial. I was trying to modify the replica DN to the admin DN, that's why I got the error.
It replicates smoothly now.
There is an Azure VM encrypted disk with Bitlocker in North Europe. Everything has replicated well in West Europe. While doing Test Failover, getting below error.
Failover Error: ID28031
Error Message: Virtual machine XXX-AZ-WEB01-test' could not be created under the resource group 'XXXX-Destination-RG'. Azure error message: 'Key Vault https://XXX-keyvault-ne.vault.azure.net/keys/Bitlocker/XXXX either has not been enabled for Volume Encryption or the vault id provided does not match /subscriptions/XXXX-XX-XXXX-XXX-XXXX/resourceGroups/XXX-Destination-RG/providers/Microsoft.KeyVault/vaults/XXX-KEYVAULT-WE's true resource id. (Provisioning failed)'.
Things are already in place what is showing in error.
Volume encryption has enabled in both source and destination Key vault.
The user has assigned all the permission as per this doc.
Thanks in advance.
Based on the Error message Failover failed with Error ID 28031 due to Quota and also check
Are you trying to do failover to different resource group or key vault? When restoring the vm, and encrypting it with the existing keys again trying to store the keys in the target keyvault
Have a crosscheck if required user KeyVault permissions as mentioned in https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms#required-user-permissions.
While enabling mentioned KeyVault permissions (on primary & recovery) under access policies, please enable volume encryption under advanced access policies (to make failover to work).
Also try to create manually the Resource Group & Storage Account post which Enable Replication was successful.
There is some limitation in KeyVault which is making the failover to fail: https://github.com/Azure/azure-cli/issues/4318
Kindly let us know if the above helps or you need further assistance on this issue.
The mistake was that destination KeyVault was created and keys were imported manually. The destination Keyvault must be created by the script provided below.
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms#copy-disk-encryption-keys-to-the-dr-region-by-using-the-powershell-script
Once I created the destination KeyVault by script, everything goes smoothly.
The goal here is to: Assist client in configuring his Key Vault so that he would be able to enable TDE encryption and access it over the government portal url
Customer Verbatim:
"I am running into an issue when trying to enable TDE for SQL Server 2016. I have attached a few files with show the problem. Basically the problem is when SQL tries to connect to the Azure Key Vault it is using the public suffix (azure.net) instead of the the govcloud suffix (usgovcloudapi.net).
How do I force it to use the correct URL?"
https://vant4gekeyvault.vault.usgovcloudapi.net/
I think the issue is this is a gov tenant and he's stuck using the commercial URL but we were unable to force the correct URL. I sent him instructions on how to
Set-AzureRmEnvironment for AzureKeyVaultServiceEndpointResourceId as *.vault.usgovcloudapi.net, should be https://vault.usgovcloudapi.net.
but that didn't seem to work. I may be way off on this assumption too, as I'm not really that great in KV. Any Ideas or a known fix?
Here is his error message:
---SQL
Msg 33049, Level 16, State 2, Line 17
Key with name 'SqlTDEKey' does not exist in the provider or access is denied. Provider error code: 2058. (Provider Error - No explanation is available, consult EKM Provider for details)
---EVENT LOG
The description for Event ID 2 from source SQL Server Connector for Microsoft Azure Key Vault cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Vault Name: EKM Operation
Operation: SqlCryptGetKeyInfoByName
Key Name: N/A
Message: Error when accessing registry:5
Read the message again, the account doesn't have permission to modify the registry. It's an issue introduced in the feb release of the connector. I ran into a similar issue, the provider tries to create a registry key but doesn't have permissions to do so, therefore it fails. Try the following steps taken from this blogpost [1]
Open regedit
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Create a new Key called “SQL Server Cryptographic Provider” (without quotes)
Right click the key, from the context menu select ‘permissions.
Give Full Control permissions to this key to the Windows service account that runs SQL Server
[1] https://www.visualstudiogeeks.com/devops/SqlServerKeyVaultConnectorProviderError2058RegistryConsultEKMProvider
I have attempted to send an organisational certifier as a mail attachment, and the Domino server denies it as an "attachment type policy violation". There is nothing explicit in the server configuration that would explain this. Other .id files are delivered without problem, and editing the name of the file so that "cert" does not appear as a substring in the file name does not help - the file is denied delivery even if the name entirely obscures its nature (e.g. "xx.id"). Only when I change the extension as well ("xx.yy") is it delivered successfully.
Can anyone explain this behaviour? It looks as though there is a hard-coded policy against sending certifiers by mail, but is that really the case?
The only place Domino could reject the mail is thru a router rule specified in the configuration document (Domino Directory -> Configuration Document -> Router/SMTP -> Restrictions and Controls -> Rules)
Other than that, there must be a Domino-external scanner which checks the file name or file content.
As far as I can see, that message isn't from Domino at all. When searching the Internet for "attachment type policy violation" (with the double quotes), I only find it in conjunction with Exchange 2010 servers. And your question of course.
Can you confirm that all mail servers in this case are Domino servers? Can you check the headers of the returned mail, in order to find out where the mail bounced? Can you check the log.nsf database of the Domino server, both under Mail Routing and Miscellaneous, to see if there's a message about the mail being rejected?
IMHO you should be barking up some Microsoft tree...
I have WebLogic 11G (10.3.6) on Linux Server and SQL Server 2012 on Windows 2012. I would like to create the connection pool to SQL Server from WebLogic using Windows Active Directory Kerberos authentication.
I am looking for steps to accomplish the above. I found information in bits and pieces but looking for clear steps. Any help is greatly appreciated.
I have access to WebLogic 10.3.3. So all version numbers are according to that. But the principals are the same.
Login through the console
Lock and Edit. If this isn't a production mode server, you won't need to do this.
Go to Services > JDBC > Data Sources and click "New".
Give it a name and JNDI name. I probably don't need to mention that the JNDI name is the important one. Also, choose the "Database Type" as "MS SQL Server".
Next you'll have to choose the driver. I didn't observe anything about distribute transactions in your question. Thus, I'm assuming you won't need an "XA" driver.
Again, I didn't see anything about Global Transactions in your quesiotn. So in the next step, disable it.
Next is the information about your Database; its name, Host's IP, and Port. If you have a named instance, add the name after the IP like this: \\instance_name. Since you want to use Kerberos, don't enter the Username and Password.
In the next step, you need to tell your datasource to use kerberos. Add ";AuthenticationMethod=kerberos" to end of the URL field. Connection properties are separated with a ";". For example, jdbc:sqlserver://192.168.10.56:17888;AuthenticationMethod=kerberos
Next, specify which Servers in your Domain will have access to this DataSource. Basically, specifying the DataSource's target servers.
Side notes and other important settings:
When you specify the "AuthenticationMethod" connection property with the value of "kerberos", any username or password will be ignored.
Your database server must be administered by the same Domain Controller that administers the Weblogic server.
Under $WL_HOME/server/lib find krb5.conf (Kerberos configuration file containing values for the Kerberos realm and the KDC name for that realm) and open it in a text editor. Specify the system properties java.security.krb5.realm and java.security.krb5.kdc. In Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.
The application and driver code bases must be granted security permissions in the security policy file of the Java 2 Platform. Something like this:
grant codeBase "file:/WL_HOME/server/lib/-" {
permission javax.security.auth.AuthPermission
"createLoginContext.DDTEK-JDBC";
permission javax.security.auth.AuthPermission "doAs"
permission javax.security.auth.kerberos.ServicePermission
"krbtgt/your_realm#your_realm", "initiate";
permission javax.security.auth.kerberos.ServicePermission
"MSSQLSvc/db_hostname:SQLServer_port#your_realm", "initiate";
};
where:
WL_HOME is the directory in which you installed WebLogic Server.
your_realm is the Kerberos realm (or Windows Domain) to which the database host machine belongs.
db_hostname is the host name of the machine running the database.
SQLServer_port is the TCP/IP port on which the Microsoft SQL Server instance is listening.
I must say though I don't think you searched hard enough. Because almost everything I wrote here came from the online documentation:
http://docs.oracle.com/cd/E12839_01/web.1111/e13753/mssqlserver.htm