Open ArcturusZhang opened 4 years ago
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @axayjo.
@amjads1, could you look into this issue?
I'm having a similar issue. I can install the extension via az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows
on Azure CLI 2.9.0, but not through ARM template deployment. Upon ARM template deployment, I get the error
"message": "The handler for VM extension type 'Microsoft.Azure.ActiveDirectory.AADLoginForWindows' has reported terminal failure for VM extension 'Microsoft.Azure.ActiveDirectory.AADLoginForWindows' with error message: 'Install failed for plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version 0.4.1.1) with exception Command C:\\Packages\\Plugins\\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\\0.4.1.1\\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: -2145648639'.\r\n \r\n'Install handler failed for the extension. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot'"
Looking into this issue and hoping to have an update asap.
I have reached out to the extension owners, awaiting on the response.
Adding @srrstepe who is working on this issue. Can you please share more details and the information you are looking from the user?
Currently there is an issue in Azure Device Registration service where the device registration requests would fail if the resource name is greater that 15 characters. This issue has been fixed and currently under deployment.
Looking a the resource group name “ rg-d-we1-wherescape-poc”, I am assuming the resource name would have been greater than 15 characters as well. In order to confirm if the issue being seen by @ArcturusZhang is same as the above mentioned issue we need the following logs: • Get public scripts here: https://1drv.ms/u/s!AkyTjQ17vtfagYkZ6VJzPg78e3o7PQ • RDP/login to a VM instance using the default admin user credentials. (User can enable the admin account on the VM from the portal -> vm -> operation -> run command -> Enable Admin Account) • Copy the public scripts downloaded from the above link • Open an admin command prompt and run start_ngc_tracing_public.cmd • Stop running the logging script by executing stop_ngc_tracing_public.cmd • Please zip and send us the logs under %SYSTEMDRIVE%\TraceDJPP* for analysis. • Also please collect the logs in the following folders: o %systemDrive%\WindowsAzure\Logs o %systemDrive%\WindowsAzure\CollectGuestLogsTemp
Thanks for the update @srrstepe !
@ArcturusZhang - Can you please help us in getting the above requested details so that we can confirm and close on this issue asap?
Hi @amjads1 and @srrstepe thanks for the investigation! But I am only the one to migrate this issue here not the issue author. I have informed the actual issue author to make some comments on your information.
Thanks for the response @ArcturusZhang . Please update with user comments on the requested information.
Hi @ArcturusZhang and @amjads1
I've followed the steps indicated in here and attached the logs.
Hope it helps. Hugo
Thanks for sharing the logs @hugo-paredes !
@srrstepe - Can you please look into the logs and confirm if the reported issue is same as the known issue where ADRS is making a change to allow VM resource names up to 64 chars – up from 15?
@srrstepe - Can you confirm on the issue and status based on the logs provided by @hugo-paredes ?
I looked at the logs provided by @hugo-paredes . I could confirm that the issue they were seeing is infact the issue mentioned above. i.e. Resource name greater than 15 characters. Azure resource Id:/subscriptions/9faac4cb-9dc7-4672-85f6-44027ead7635/resourceGroups/rg-l-we1-fakegdp-main/providers/Microsoft.Compute/virtualMachines/vm-l-we1-fakegdp-op-vm
This issue has been fixed by ADRS team. I see from the logs that user was indeed able to successfully install the extension on the VM and the device is AAD joined. Handler Status: [{"status":{"code":0,"formattedMessage":{"lang":"en-US","message":"Successfully joined machine to AAD."},"name":"Microsoft.Azure.ActiveDirectory.AADLoginForWindows","operation":"AADJoin","status":"success","substatus":null},"timestampUTC":"\/Date(1597229907302)\/","version":"1"}]
Thanks for the confirmation and updates @srrstepe . Appreciate the help!
@ArcturusZhang , @hugo-paredes - Based on the updates from @srrstepe , looks like the issue resolved and you should now be able to install Microsoft.Azure.ActiveDirectory.AADLoginForWindows extension without any errors. Can you please confirm from your side as well so that we can close this issue?
@ArcturusZhang , @hugo-paredes - Based on the above resolution and confirmation from the AAD team, this issue should be resolved now. I will go ahead and close this issue but feel free to re-open if the issue is not yet resolved. Thank you!
Hi @amjads1
I've just tried to login into a VM via AAD and I seem to be able to authenticate. However, I cannot login and I get this message:
Is there any other setting I need to specify to allow this?
Greetings. Hugo
Seems there are still issues, reopen this issue...
Updates from @srrstepe -
** User might see this error if Conditional Access policies are configured in the customer’s tenant requiring MFA for every resource. If this is the case, did he try logging in to using Next Generation creds? If the customer does not have NGC, then they should consider excluding “Azure Windows VM Sign-In” app from the CA policy.
If none of this works, please ask the customer to collect logs using the following instructions:
@hugo-paredes - Can you try the steps highlighted above and update if this resolves your issue?
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adamedx.
Moving this over to AAD as this issue looks to be in the AAD extension as compared to the extension framework itself.
Hi. Is there any update to this issue? Thanks
@hugo-paredes is this the same for yourself? Im having the same problem unless i disable MFA which i do not want to do
@akingscote I don't think so.
When I create a VM using the Azure Portal and enable the AAD login, I'm able to login to the VM without any problem. But, when I do it via the az cli
, then it doesn't work.
I am also fighting with the issue and not able to deploy AAD login extension for Win with ARM template. Event thought I am using the same image and copy all extension settings from resources.portal.com. All good with Linux vm's. Any upadtes ?
P.S. Resourcegroup name only 3 symbols, and vm name is also just a few letters
any updates?
the error still exists.... Trying to deploy the vm + the extension using bicep.
I have the same problem with the extention
Windows Datacenter 2019
Tried to run command on VM manually
PS C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.3.0.0> .\AADLoginForWindowsHandler.exe install
and got
[Error]: Could not find if this OS version supports Azure VM Secure join.
Exception: System.IO.FileNotFoundException: C:\windows\system32\dsreg.dll
I think this is the root cause
But on requirements Windows Datacenter 2019 is supported
Windows Server 2019 Datacenter and later
Copy files from healthy windows to the vm system32\
After that it works Enjoy!
I am trying to install this extension:
Microsoft.Azure.ActiveDirectory.AADLoginForWindows
of version: 2.2.0
on
source_image_reference {
offer = "WindowsServer"
publisher = "MicrosoftWindowsServer"
sku = "2022-datacenter-azure-edition-core"
version = "latest"
}
using Terraform.
However I am getting the following error:
Install failed for plugin (name: Microsoft.Azure.ActiveDirectory.AADLoginForWindows, version 2.2.0.0) with exception Command C:\Packages\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\2.2.0.0\AADLoginForWindowsHandler.exe of Microsoft.Azure.ActiveDirectory.AADLoginForWindows has exited with Exit code: 1
I can't find any information that this extension would not be supported on this Windows SKU. When trying to debug the error I found this issue tracker.
I did see that there's the resource name limit, but I assume that this has been patched in the last 4 years? Yet I can't see any confirmation from these replies that it has. My resource name is definitely over 15 characters.
Can someone please confirm that the character limit is still an issue or provide an alternative path for me to debug? I'm not currently able to reduce the resource group name because it follows a specific format of "<productname>-<dev>-<username>-<randsuffix>-<resourcetype>"
and I can't edit this policy.
I've opened an issue here, as this seems to potentially be a Terraform issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/25810
EDIT: Nope, this is definitely Azure's fault. Not Terraform's.
Copy files from healthy windows to the vm system32\
- dsreg.dll
- dsreg.dll.mui
- dsregcmd.exe
- dsregcmd.exe.mui
- dsregtask.dll
- dsregtask.dll.mui
After that it works Enjoy!
I just tried your example here (minus copying the files as I have no where else to copy them from).
I got the exact same error as you did:
2024-05-02T12:12:45.9183018Z [Information]: 10.0.20348.1070 (WinBuild.160101.0800)
2024-05-02T12:12:45.9183018Z [Information]: Getting Dsregcmd capabilities.
2024-05-02T12:12:45.9183018Z [Error]: Could not find if this OS version supports Azure VM Secure join.
This seems to be a Microsoft-side problem entirely.
This SKU should be completely supported: 2022-datacenter-azure-edition-core
Ok I managed to fix this entirely by using:
2022-datacenter-azure-edition-hotpatch
It seems as though despite core supposed to being supported, it simply isn't. I had no problem doing this on a different SKU, automatically via Terraform. Microsoft simply needs to add the 2022-datacenter-azure-edition-core
SKU to a list of unsupported SKUs for AADLoginForWindows
extension.
I would recommend others try a different SKU if they get this issue. Your SKU is likely just not supported despite whatever Microsoft documentation says/doesn't say.
Initially reported in https://github.com/terraform-providers/terraform-provider-azurerm/issues/7748
On portal, you can successfully install the extension as the following to a windows VM:
but the same configuration does not work on terraform (equivalent with pure REST API):
and the service returns this error:
Terraform or REST API installed extension could be provisioned successfully when you change the
typeHandlerVersion
to1.0
, but it would not work properly.