Closed vniklas closed 5 years ago
1 - Did everything complete successfully up to that point? 2 - what was your launch command (minus any sensitive info) 3 - Do you have a CertsCreated.txt file in your ASDK\appservice folder? 4 - Do you have an ApplicationIDBackup.txt (with an application ID inside the file) in your ASDK download folder?
If yes for #4, what happens when you run the following in a fresh ISE? Run it section by section, so we can easily identify where things are going wrong.
$identityApplicationID = "<copy from ApplicationIDBackup.txt>"
$azureDirectoryTenantName = "<enter tenant name here>"
$ArmEndpoint = "https://adminmanagement.local.azurestack.external"
Add-AzureRMEnvironment -Name "AzureStackAdmin" -ArmEndpoint "$ArmEndpoint" -ErrorAction Stop
$ADauth = (Get-AzureRmEnvironment -Name "AzureStackAdmin").ActiveDirectoryAuthority.TrimEnd('/')
Get-AzureRmContext -ListAvailable | Where-Object {$_.Environment -like "Azure*"} | Remove-AzureRmAccount
Clear-AzureRmContext -Scope CurrentUser -Force
# Grant permissions to Azure AD Service Principal
$tenantId = (Invoke-RestMethod "$($ADauth)/$($azureDirectoryTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1]
Add-AzureRmAccount -EnvironmentName "AzureCloud" -TenantId $tenantId -ErrorAction Stop
$context = Get-AzureRmContext
$refreshToken = @($context.TokenCache.ReadItems() | Where-Object {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$refreshtoken = $refreshtoken.Split("`n")[0]
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With' = 'XMLHttpRequest'
'x-ms-client-request-id' = [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$identityApplicationID/Consent?onBehalfOfAll=true"
$url
5 - Does $url get populated?
Thanks! Matt
Also, you can send any log files to asdkconfigurator @ outlook . com, and I'll pick them up from there. I suspect it's something to do with either the $tenantID not being populated correctly, or there being no token, both of which would result in either the $body not being populated, or the Invoke-RestMethod for the $apiToken not getting populated.
This works fine in my environment(s) with different subs, so i'm curious about your subscription and AAD user combination, so i can see if i can replicate.
Let's chat more.
Thanks! Matt
$url does not get populated
From: Matt McSpirit notifications@github.com Sent: den 8 november 2018 14:56 To: mattmcspirit/azurestack azurestack@noreply.github.com Cc: vNiklas Akerlund niklas@djungeln.se; Author author@noreply.github.com Subject: Re: [mattmcspirit/azurestack] addappserviceprereq failure (#58)
1 - Did everything complete successfully up to that point? 2 - what was your launch command (minus any sensitive info) 3 - Do you have a CertsCreated.txt file in your ASDK\appservice folder? 4 - Do you have an ApplicationIDBackup.txt (with an application ID inside the file) in your ASDK download folder?
If yes for #4 https://github.com/mattmcspirit/azurestack/pull/4 , what happens when you run the following:
$azureDirectoryTenantName = "
Get-AzureRmContext -ListAvailable | Where-Object {$_.Environment -like "Azure*"} | Remove-AzureRmAccount Clear-AzureRmContext -Scope CurrentUser -Force
$tenantId = (Invoke-RestMethod "$($ADauth)/$($azureDirectoryTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1] Add-AzureRmAccount -EnvironmentName "AzureCloud" -TenantId $tenantId -ErrorAction Stop $context = Get-AzureRmContext $refreshToken = @($context.TokenCache.ReadItems() | Where-Object {$.tenantId -eq $tenantId -and $.ExpiresOn -gt (Get-Date)})[0].RefreshToken $refreshtoken = $refreshtoken.Split("`n")[0] $body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6" $apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded' $header = @{ 'Authorization' = 'Bearer ' + $apiToken.access_token 'X-Requested-With' = 'XMLHttpRequest' 'x-ms-client-request-id' = [guid]::NewGuid() 'x-ms-correlation-id' = [guid]::NewGuid() }
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$identityApplicationID/Consent?onBehalfOfAll=true" $url
5 - Does $url get populated?
Thanks! Matt
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mattmcspirit/azurestack/issues/58#issuecomment-437001708 , or mute the thread https://github.com/notifications/unsubscribe-auth/ALSS9NeaScksrR_pd2Y-DLYS52kN_mybks5utDgMgaJpZM4YUHnT . https://github.com/notifications/beacon/ALSS9IRSTQy9NDiG7fvPQVHld-bIzTorks5utDgMgaJpZM4YUHnT.gif
Right, so if you go through 1 by 1, which other variables are not getting populated here?
$tenantId
$context
$refreshtoken
$body
$apiToken
$identityApplicationID
If you run the previous script I provided, line by line, then check each one to see if it's getting populated, we can see where it's failing in your environment.
I do get tenantid but then it is empty
i do not have a azure subscription in the aad tenant in question
PS C:\ConfigASDK> Add-AzureRmAccount -EnvironmentName "AzureCloud" -TenantId $tenantId -ErrorAction Stop
Account : SubscriptionName : SubscriptionId : TenantId : Environment :
So to confirm, when you run this:
$tenantId = (Invoke-RestMethod "$($ADauth)/$($azureDirectoryTenantName)/.well-known/openid-configuration").issuer.TrimEnd('/').Split('/')[-1]
$tenantId
You do get a result, a tenantId starting with: 7e642d21
Right?
But when you run this:
Add-AzureRmAccount -EnvironmentName "AzureCloud" -TenantId $tenantId -ErrorAction Stop
$context = Get-AzureRmContext
$context
the resulting $context is essentially empty, as per:
Account : SubscriptionName : SubscriptionId : TenantId : Environment :
Correct?
correct
$context is totally empty
That's strange for the fields to be completely blank there. On an account I have, that i know doesn't have any subscriptions in Azure, when i log into Azure to test, I get the following:
Login-AzureRmAccount -Environment AzureCloud -TenantId $tenantId
Account : ****@M****.COM
SubscriptionName :
SubscriptionId :
TenantId : c7d77d49-****-****-****-************
Environment : AzureCloud
Get-AzureRmContext
Name : Default
Account : ****@M****.COM
SubscriptionName :
SubscriptionId :
TenantId : c7d77d49-****-****-****-************
Environment : AzureCloud
So it's very strange that you get nothing at all.
However, I've just created a test user account in another directory, and I can replicate your issue. The result of Get-AzureRmContext is completely blank. Let me investigate why this is, and what I can do to fix it.
awesome..
And....this is exactly the issue you have:
https://github.com/Azure/azure-powershell/issues/7131
I'll have to think about this, and it may be that I'll have to create a workaround for non-subscription Azure AD accounts, and for those, skip this bit of the process, and provide guidance at the end of the process (perhaps a desktop .txt file) instructing the user to manually grant permissions to their app in Azure AD.
Note - this doesn't block the App Service installer from running and installing successfully.
Let me investigate further.
OK, here's the workaround - could you replace your version of the AppServicePreReqs.ps1 (in your ConfigASDK\Scripts folder, with this one:
I've written a workaround that I hope you can test. It won't set the permissions for you, but will put a txt doc on your desktop with the manual instructions to perform the step once the process has all finished. This should also allow your AppService step to proceed.
Let me know!
If you haven't tested it yet, try it now - i found another way which will automate the process, so it should work... - let me know, and thanks for your help.
I have not yet tested it
No worries, let me know how it goes when you get to it.
Thanks! Matt
This should now be fixed with the 1809.1 release.
I cannot get by the add app service prereq step
VERBOSE: Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT FROM Win32_LogicalDisk WHERE DeviceId='D:','queryDialect' = WQL,'namespaceName' = root\cimv2'. VERBOSE: Operation 'Query CimInstances' complete. VERBOSE: Perform operation 'Query CimInstances' with following parameters, ''queryExpression' = SELECT FROM Win32_LogicalDisk WHERE DeviceId='D:','queryDialect' = WQL,'namespaceName' = root\cimv2'. VERBOSE: Operation 'Query CimInstances' complete. You don't need to sign into the Azure Portal to grant permissions, ASDK Configurator will automate this for you. Please wait. VERBOSE: GET https://login.microsoftonline.com/spacefarm.onmicrosoft.com/.well-known/openid-configuration with 0-byte payload VERBOSE: received 1575-byte response of content type application/json; charset=utf-8 ASDK Configurator Stage: AddAppServicePreReqs failed. Updating ConfigASDK Progress database You cannot call a method on a null-valued expression..Exception.Message