After creating a new HDInsight Cluster, I am receiving the following error when I provide the authentication information and try to access the HDInsight web portal at https://{Cluster Name}.azurehdinsight.net/
403 - Forbidden: Access is denied.
Have tried recreating clusters, different browsers, clearing browser cache but have not been able to login. Pls suggest.
The interactive console has been discontinued and the team now recommends the usage of Windows Azure PowerShell
http://www.windowsazure.com/en-us/documentation/articles/hdinsight-submit-hadoop-jobs-programmatically/
You mention clearing browser cache, have you also tried clearing cookies as well? I have had this problem after a failed login to the HDInsight portal and needed to clear cookies and cache.
Also if you have an active directory integration and are trying to login with a domain account, try logging in with the cluster user that you created at deployment instead.
Use windows azure management portal instead, https://manage.windowsazure.com.
Related
I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.
As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster.
I am using .net core 2.1 in service fabric and getting below mentioned exception.
Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details
Visual Studio Token provider can't be accessed at C:\Users\Default\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
VisualStudioCodeCredential authentication failed: A specified logon session does not exist. It may already have been terminated.
Services are likely running under the built-in 'NetworkService' account, which cannot access the CLI for credentials because it has run in your user session.
Try creating machine level environment variables to access the vault:
Create a service principal with a password. Follow steps here to create a service principal and grant it permissions to the Key Vault.
Set an environment variable named AzureServicesAuthConnectionString to RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret. You need to
replace AppId, TenantId, and Secret with actual values from step #1.
Run the application in your local development environment. No code change is required. AzureServiceTokenProvider will use this
environment variable and use the service principal to authenticate to
Azure AD.
Don't forget to restart, so the environment variables are added to all processes.
As the document shows about DefaultAzureCredential, Environment and Managed Identity are deployed service authentication. Azure CLI needs to login with your Azure account via the az login command.
So, Environment and Managed Identity are appropriate for you. For example, Using the environment needs to set Environment Variables first, see here. Then you could create a secret client using the DefaultAzureCredential.
// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new DefaultAzureCredential());
I was able to get this working with with local service fabric development by opening Services.msc on my local development machine and configuring the 'Service Fabric Host Service' to run as my local user account rather than the default local service.
Only then would DefaultAzureCredential work for picking up the Az CLI login.
WebLogic and LDAP are integrated, I can see users and groups in the Console security realm. Setup was minimal - simply added and set specs for an AD provider, nothing else.
However, all username combinations I've tried end up in wrong user/password in the analytics login screen, and "access denied" in the BI cluster log.
So what should be the username syntax that AD accounts are to enter? I am trying to allow any AD account to be able to login at this point.
UPDATED per #Chris request:
WL version 12.2.1
Documentation: very vague help screens from the WL console, missing the part I'm trying to figure out specifically
Error from the managed server log/obis1: BI security access is denied - web service credentials are invalid
The account works, however, in Windows Network, AD Server, and is visible inside WL with its specific AD group.
The correct answer to this: you can use the same exact credentials you would while logging to the AD server directly. Getting "invalid user/password" error can be indicative of a lot of other problems stemming from the LDAP Authenticator configuration.
I am attempting to log into an Azure SQL Database using SSMS. I need to be able to log into the database with Active Directory Integrated Authentication. When attempting to login:
I receive this error:
Failed to authenticate the user NT Authority\Anonymous Logon in Active Directory (Authentication=ActiveDirectoryIntegrated).
Error code 0xCAA90002; state 10
WSTrust response does not have recognized SAML assertion. (.Net SqlClient Data Provider)
The following are true:
I am the Active Directory admin in the Azure SQL Server.
The Azure SQL Server Firewall accepts all IP addresses
I am specifying a database under the connection properties tab
I have .NET 4.6 and I'm using SSMS v17.1
Authentication works if I use "Active Directory Universal Authentication".
Any ideas?
Thanks.
This issue is with the AD Syncing options. In my environment, AD is not syncing passwords into the tenant. This prevents AD Integration Authentication and AD Password Authentication. The only authentication that works in this instance is AD Universal Authentication.
This may be due to the old API of ADALSQL.dll that is used by SSMS for Active Directory password. The fact that Active Directory Universal (which uses newer API from ADAL.net) works indicates the issue is in the AD library, not SQL.
I had the same error message, and it turned out to be caused by a password expiry.
As soon as I renewed the password, the error message disappeared.
I am trying the code sample from: https://github.com/OfficeDev/Microsoft-Graph-ASPNET-Webhooks and it is working fine on ngrok but I get this issue on azure when creating subscription.
Any suggestions to look into?
The error appears to be related to the app permissions. Check the application permissions for the proper level of access to the resource. For example, set the "Read user mail" permission if you want to subscribe to email notifications. Also ensure that the token being used for creating the subscription has access to the resource.
This is related to the permissions in the token and not a hosting difference between Azure or ngrok.
I'm writing a web application and I want to get all users using Azure Graph API. Which permissions are required. Does admin have to consent?
At the very least, your application would need Read Directory Data permission that you will setup in Azure Portal when configuring your application.
Does admin have to consent?
Yes, the admin would have to consent.