search

MarcelMeurer / Project-MySmartScale

Repository to deploy MySmartScale to Azure
19 stars 3 forks source link

Insufficient Privileges #1

Closed JAK1047 closed 5 years ago

JAK1047 commented 5 years ago

Didn't know if there was a forum or better place to reach out for assistance, but after following the instructions and setting up the portal I'm getting an HTTP 500 error every few seconds in it while it tries to pull Data\Statistics. Looking at the response it appears to be getting an ODATA Insufficient Privileges error.

I'm assuming the error is from the Service Principal set up in the Portal App Configuration missing some rights, but it's set for User.Read.All under Application and ID Token is checked. I haven't setup the agent yet on my WVD hosts wanting to get the basic setup out of the way, so any idea what the periodic calls trying to access that could be generating the error? Or where I could start troubleshooting?

MarcelMeurer commented 5 years ago

Hi. This is the absolute right place. So, thanks for placing your question here.

Can you log in properly to the -portal web site and do you see the web GUI without tiles (empty)? This should be. If you can log in, the portal queries the data once in a minute. The data Uri is:

https://nnnnnnnnnnnnn-portal.azurewebsites.net/data/SiteStatistics/1AF04A50-3F2F-420A-93B8-2D2A1EFF6CF1

The return value for a vanilla installation is: [] - 200

If you get an error there is something wrong. Maybe, you wrote, with your authentication. Could you check the configuration variables:

ida:ClientId: <Id of your Azure Ad app / service principal Guid>
ida:ClientSecret: <Secret of your Azure Ad app / service principal>
ida:Domain: <Your Azure AD tenant Guid>
ida:TenantId: <Your Azure AD tenant Guid>

Also, make sure that you leave this variable as it is/was. It must be the static Guid: cfg:DefaultTenantGuid: 1AF04A50-3F2F-420A-93B8-2D2A1EFF6CF1

Another thing: Make sure that you open the -portal URI and not the -data once. The -data has no website and will give you an error if access them. -data holds the web job and data endpoint. You can check if the endpoint is working with https://nnnnnnnnnnnnn-portal.azurewebsites.net/data/test

JAK1047 commented 5 years ago

image

Rebuilt from scratch just to see and got the same thing. Portal loads, but errors persist every full seconds. Made sure the configuration is in the Portal app and not data. Values appear right (Haven't set the AdminUserGroup yet on this new one). I took a screenshot and removed the ending characters,

1

2

image

image

image

As far as I can tell it is set correctly, but I don't know what calls are being made from that error.

MarcelMeurer commented 5 years ago

Hi. Did you get the Azure log on screen if you open the portal? The next step would be to check the application insight log. Maybe there is an error connecting to the database. You can check the connection string of the portal web app. Maybe you have some special character which not worked (like a "). Or, if it an option, give me temporary permissions to the resource group to support debugging.

JAK1047 commented 5 years ago

No login page just took me right in. I'll take a look when Monday rolls around and I'm back at work to see if the logs have anything further and let you know. Thank you!

JAK1047 commented 5 years ago

Might be a moot point anyway. Now when I try to do another deployment I'm getting failures in the ARM template.

image

"ErrorEntity": { "ExtendedCode": "51004", "MessageTemplate": "Cannot find {0} with name {1}.", "Parameters": [ "ServerFarm", "WindScaleTest" ], "Code": "NotFound", "Message": "Cannot find ServerFarm with name WindScaleTest." }

So it successfully made the ServerFarm right below it, then failed to find the ServerFarm it just created.

MarcelMeurer commented 5 years ago

Hi. I’m sorry about the trouble you have rolling out the solution. I tried this right now and if I choose a deployment name which is probably random (like projectmysmartscale20191022) it is deployed without problems. To choose the right name is with this git hub repo a challenge: you are free to select a name but it must fit and be unique for the resources like web app, SQL, log analytics, … But I see in your screenshot that your name is probably unique. Your error message looks like the server farm (app service plan) might not be ready while rolling out the data web app. I checked the dependencies of the web app with the server farm and this is right.

Could you repeat rolling out the solution? Maybe there was a random issue in the deployment phase.

Sorry about the issues you have. This is not that was I want to have. Marcel

Here a screenshot of my current deployment: [cid:image001.jpg@01D58875.5D9AB9B0]

From: JAK1047 notifications@github.com Sent: Monday, 21 October 2019 21:50 To: MarcelMeurer/Project-MySmartScale Project-MySmartScale@noreply.github.com Cc: Marcel Meurer Marcel.Meurer@sepago.de; Comment comment@noreply.github.com Subject: Re: [MarcelMeurer/Project-MySmartScale] Insufficient Privileges (#1)

Might be a moot point anyway. Now when I try to do another deployment I'm getting failures in the ARM template.

[image]https://user-images.githubusercontent.com/29665481/67237919-32326000-f41a-11e9-9138-9b6c84158c42.png

"ErrorEntity": { "ExtendedCode": "51004", "MessageTemplate": "Cannot find {0} with name {1}.", "Parameters": [ "ServerFarm", "WindScaleTest" ], "Code": "NotFound", "Message": "Cannot find ServerFarm with name WindScaleTest." }

So it successfully made the ServerFarm right below it, then failed to find the ServerFarm it just created.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarcelMeurer/Project-MySmartScale/issues/1?email_source=notifications&email_token=AE7ZOIMRND2QZMVWZTGQVUTQPYBWTA5CNFSM4JCATHG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB3SDCI#issuecomment-544678281, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AE7ZOIKND4GEX3IK24CK3NLQPYBWTANCNFSM4JCATHGQ.

Marcel Meurer | sepago GmbH | Dillenburger Straße 83 | 51105 Köln | www.sepago.dehttp://www.sepago.de Geschäftsführung: Paul Lütke Wissing | Claus Friedrichs | HRB 37210

JAK1047 commented 5 years ago

Tried a different browser, account, and a name with random numbers, so I'm assuming that it's unique. Same issue:

image

Is the data site something I could manually create myself?

MarcelMeurer commented 5 years ago

Can you tun the deployment with the same name and pssword in the same rg? Alternatively, you can build the web app by yourself but you have to add the settings and configurations by yourself (are your able to read this from the arm template?). Could you name me the region you have used?

Outlook für Androidhttps://aka.ms/ghei36 herunterladen

From: JAK1047 notifications@github.com Sent: Tuesday, October 22, 2019 5:27:53 PM To: MarcelMeurer/Project-MySmartScale Project-MySmartScale@noreply.github.com Cc: Marcel Meurer Marcel.Meurer@sepago.de; Comment comment@noreply.github.com Subject: Re: [MarcelMeurer/Project-MySmartScale] Insufficient Privileges (#1)

Tried a different browser, account, and a name with random numbers, so I'm assuming that it's unique. Same issue:

[image]https://user-images.githubusercontent.com/29665481/67302063-534c8c80-f4be-11e9-82c2-d127c639ca9c.png

Is the data site something I could manually create myself?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarcelMeurer/Project-MySmartScale/issues/1?email_source=notifications&email_token=AE7ZOILRSK6LOASLURT4ZELQP4LXTA5CNFSM4JCATHG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB6FFGY#issuecomment-545018523, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AE7ZOIJN2VFNN4UTJP7GNNTQP4LXTANCNFSM4JCATHGQ.

Marcel Meurer | sepago GmbH | Dillenburger Straße 83 | 51105 Köln | www.sepago.dehttp://www.sepago.de Geschäftsführung: Paul Lütke Wissing | Claus Friedrichs | HRB 37210

MarcelMeurer commented 5 years ago

Sorry. If found the error. There was a hardcoded location in the arm template. I corrected it now. Sorry again and I hope it works now like expected.

From: Marcel notifications@github.com Sent: Tuesday, 22 October 2019 17:52 To: MarcelMeurer/Project-MySmartScale Project-MySmartScale@noreply.github.com Cc: Marcel Meurer Marcel.Meurer@sepago.de; Your activity your_activity@noreply.github.com Subject: Re: [MarcelMeurer/Project-MySmartScale] Insufficient Privileges (#1)

Can you tun the deployment with the same name and pssword in the same rg? Alternatively, you can build the web app by yourself but you have to add the settings and configurations by yourself (are your able to read this from the arm template?). Could you name me the region you have used?

Outlook für Androidhttps://aka.ms/ghei36 herunterladen

From: JAK1047 notifications@github.com<mailto:notifications@github.com> Sent: Tuesday, October 22, 2019 5:27:53 PM To: MarcelMeurer/Project-MySmartScale Project-MySmartScale@noreply.github.com<mailto:Project-MySmartScale@noreply.github.com> Cc: Marcel Meurer Marcel.Meurer@sepago.de<mailto:Marcel.Meurer@sepago.de>; Comment comment@noreply.github.com<mailto:comment@noreply.github.com> Subject: Re: [MarcelMeurer/Project-MySmartScale] Insufficient Privileges (#1)

Tried a different browser, account, and a name with random numbers, so I'm assuming that it's unique. Same issue:

[image]https://user-images.githubusercontent.com/29665481/67302063-534c8c80-f4be-11e9-82c2-d127c639ca9c.png

Is the data site something I could manually create myself?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarcelMeurer/Project-MySmartScale/issues/1?email_source=notifications&email_token=AE7ZOILRSK6LOASLURT4ZELQP4LXTA5CNFSM4JCATHG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB6FFGY#issuecomment-545018523, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AE7ZOIJN2VFNN4UTJP7GNNTQP4LXTANCNFSM4JCATHGQ.

Marcel Meurer | sepago GmbH | Dillenburger Straße 83 | 51105 Köln | www.sepago.dehttp://www.sepago.de<http://www.sepago.de%3chttp:/www.sepago.de> Geschäftsführung: Paul Lütke Wissing | Claus Friedrichs | HRB 37210

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/MarcelMeurer/Project-MySmartScale/issues/1?email_source=notifications&email_token=AE7ZOIOWL3OQ2T7SPHOE6TLQP4ORTA5CNFSM4JCATHG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB6H2RA#issuecomment-545029444, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AE7ZOIKIVTFIGMFTSRBT3WTQP4ORTANCNFSM4JCATHGQ.

JAK1047 commented 5 years ago

Looks like that fixed it! I'll go through when it finishes and set it up to get back on track with the original issue, but wanted to let you know that error is corrected for tracking.

JAK1047 commented 5 years ago

Think I see issues in the App Insights. I see errors trying:

Remote dependency name | SQL: tcp:WindScale3.database.windows.net,1433 | MySmartScale

Coming back with a 207 result code. I also see a call to:

https://graph.windows.net:443/2567b4c1-b0ed-40f5-aee3-58d7c5f3e2b2/directoryObjects/79aa837c-88f8-493f-a87d-16eb3277316c/memberOf?api-version=1.6

Giving that "Insufficient privileges to complete the operation". The object ID is for my own account, so looks like it's trying to get my groups and not having enough rights? Looking at the page should I do Directory.Read.All instead of User.Read.All?

https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http

And follow up it appears to be using the older graph.windows.net associated with Azure Active Directory Graph instead of https://graph.microsoft.com for Microsoft Graph. Maybe I should try giving perms from the legacy API?

JAK1047 commented 5 years ago

So after my last thought on the Azure Active Directory Graph I threw on those perms:

image

After 10 minutes the calls started working. I can remove the perms one, by one to test the exact, but this is looking good to me.