search

Azure / SimuLand

Understand adversary tradecraft and improve detection strategies
MIT License
694 stars 79 forks source link

Failed deployWinADFS Deployment #12

Closed hacknorris closed 3 years ago

hacknorris commented 3 years ago

I've gotten this specific deployment to work at least once (was able to validate endpoints registered in MDE, and workstation and ADFS were domain joined, and validated ADFS was working by signing in from the workstation with the ADFS user account, and Sentinel was connected.) I was not seeing MDI agents deployed, so restarted. But I have gotten this error at least 3 separate times where the deployment fails on ADFS01/SetUpADFS and DC01/SetUpDC. Any thoughts on troubleshooting or what I need to change? it's erroring on vm extensions for both. I see resources created -- but ADFS service is not running.

deployeerror

{ "status": "Failed", "error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'SetUpADFS'. Error message: \"Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (404) Not Found.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot " } }

{ "status": "Failed", "error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'SetUpDC'. Error message: \"Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (404) Not Found.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot " } }

Cyb3rWard0g commented 3 years ago

Hello @hacknorris !

Interesting. For ADFS setup and DC, it adds the PFX URL to scripts array that it needs to download on both servers

https://github.com/OTRF/Blacksmith/blob/master/templates/azure/Win10-AD-ADFS/azuredeploy.json#L427

Can you do me a favor. Can you copy the link you set here, and put it in your browser to download the file locally?

https://github.com/Azure/SimuLand/blob/main/2_deploy/aadHybridIdentityADFS/azuredeploy.json#L216

I have the feeling, that file URL is not working. It makes sense why both server would fail to download all the files when it starts the setup. I can see the other workstations worked fine and did not get a 404 mesage. Therefore, all the other scripts that it downloads seem to be fine.

Let me know if the BlobSasURL link works for the PFX cert. Maybe the other BlobSasUrl links that point to MDE and MDI installers are not working either.

hacknorris commented 3 years ago

Thankyou @Cyb3rWard0g! re-checked and re-tested the sas urls -- before the deployment. seems to have done the trick! awesome stuff!