Azure account auth errors


#1

Attempting to add my azure account to miq and I’m seeing the following UI error “Credential validation was not successful: Unexpected response returned from system, see log for details”

Evm.log

ERROR -- : MIQ(ManageIQ::Providers::Azure::CloudManager#verify_credentials) Error Class=Azure::Armrest::BadRequestException, Message={"error":"unauthorized_client","error_description":"AADSTS70001: Application with identifier '563ba71bfe70e8049805555' was not found in the directory 3fb78799-8962-4de0-9608-555555\r\nTrace

I use the following to find my azure tenant id http://merill.net/2015/01/how-to-get-the-azure-ad-tenant-id-without-powershell/

Then used the following to setup my client id and client key https://msdn.microsoft.com/en-us/library/azure/dn798668.aspx

I guess it appears my tenant id is wrong, is there another location to discover the tenant id of my account?


#2

Hi @jcarter

You can follow the instructions in the following blog post:
http://blog.davidebbo.com/2014/12/azure-service-principal.html

Let me know if you run into any problems,
Bronagh


#3

Hi @bronaghs,

I tried this as well, got credentials right, but after that, it cannot find anything. I just tried it with azure trial with one instance on it, but it cannot find it.

Is there some other steps you need to do before this works ?

Thanks.


#4

@tonimatta

One thing does come to mind; did you create a “Virtual Machine (classic)” in the Azure portal or did you create a “Virtual Machine”?
“Classic inventory” is created as part of the older Azure Service Management (ASM) deployment model and ManageIQ does not support it. Instead, we support the newer Azure Resource Model (ARM) deployment model.

Hope this helps,
Bronagh


#5

Is there a way to determine how a vm was provisioned via the portal?

I was able to only discover flavors from Azure and nothing else.


#6

@jcarter
Yes, open the preview portal and on the left hand side you will see “Virtual Machines” and “Virtual Machines Classic” listed separately.


#7

Furthermore, on the Azure preview portal, after you select a public image from the Marketplace, you are prompted to select a deployment model; here you choose “Classic” or “Resource Model”, choose the latter.


#8

Yeah this seems to work, so now I can see the VM from azure.

Is there any matrix or so where you could see what features are already available for Azure ?


#9

I seem to be stuck on the part where I need to:

Now let’s move on…
Assigning roles to your Service Principal
You have a Service Principal account, but right now it’s not allowed to do anything. You’ll need to use Azure PowerShell to do this (until the Preview Portal adds support for it).

Is it possible to do this via the preview portal like I found in this ink?

Or does this need to be done via powershell? I don’t have a windows vm currently for powershell.

Thanks
Kyle


#10

I did it using powershell. Don’t know if you can do it other way…


#11

Hey there,

i got the same issue with the new Azure Login (portal.azure.com)

so i followed the instruction as Kyle_Bassett mention in THIS Link

i found the settings in the new portal and configured the Azure AD Service with my App and configured the permissions and keys…

i found the tennantID, App-ID and generated a Key which is the “password”… configured it in manageIQ…

but… i got the following error:

[----] E, [2016-10-14T17:26:33.650443 #9156:2d3da2c] ERROR -- : [Azure::Armrest::UnauthorizedException]: The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant.  Method:[rescue in block in start_event_monitor]
[----] E, [2016-10-14T17:26:33.653318 #9156:2d3da2c] ERROR -- : /opt/rubies/ruby-2.2.5/lib/ruby/gems/2.2.0/gems/azure-armrest-0.2.7/lib/azure/armrest/armrest_service.rb:442:in `raise_api_exception'
/opt/rubies/ruby-2.2.5/lib/ruby/gems/2.2.0/gems/azure-armrest-0.2.7/lib/azure/armrest/armrest_service.rb:390:in `rescue in rest_execute'
/opt/rubies/ruby-2.2.5/lib/ruby/gems/2.2.0/gems/azure-armrest-0.2.7/lib/azure/armrest/armrest_service.rb:383:in `rest_execute'
/opt/rubies/ruby-2.2.5/lib/ruby/gems/2.2.0/gems/azure-armrest-0.2.7/lib/azure/armrest/armrest_service.rb:394:in `rest_get'
/opt/rubies/ruby-2.2.5/lib/ruby/gems/2.2.0/gems/azure-armrest-0.2.7/lib/azure/armrest/armrest_service.rb:185:in `fetch_subscription_id'
/opt/rubies/ruby-2.2.5/lib/ruby/gems/2.2.0/gems/azure-armrest-0.2.7/lib/azure/armrest/armrest_service.rb:162:in `configure'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:65:in `create_event_service'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:61:in `connection'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:34:in `get_events'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:25:in `each_batch'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/runner.rb:13:in `monitor_events'
/var/www/miq/vmdb/app/models/manageiq/providers/base_manager/event_catcher/runner.rb:112:in `block in start_event_monitor'

I tried every combination of those IDs… but nothing worked…

I actually don’t know if this is an issue because Azure changed the login API (the error message maybe described a missing field) or if i had a configuration issue in the Azure AD…

can somebody evaluate this ? Seems to be a big problem since Azure changed the portal…

Thanks


#12

Hi @schmandforke
Did you give the ManageIQ app “contributor” access? Refer to the Wiki on the azure-armrest gem page on GitHub:

Bronagh


#13

Hi:
Did you try this: https://www.youtube.com/watch?v=7HvjPVm1UlA?

I have had problems the first time with my trial account, but was because the elements in Azure go to read-only status and my trial account was disabled. In CloudForms i get this error:

Error - 1 Minute Ago
[ReadOnlyDisabledSubscription] The subscription ‘XXXXXXXXXXXXX’ is disabled


#14

Hey @bronaghs

yes, i read this article, it was just “a little bit” useful, because we only have access to the new Azure Portal. I don’t know if this is common, but we can’t access the classic portal anymore. So the video is a bit obsolet in this scenario, too :’(

There are many changes in the new Portal, i’m currently new to Azure, but there a many ID’s flying through the views, and i actually don’t know where to get my IDs in the new Portal…

Currently i have one Subscription “Microsoft Azure” like this:


i would guess that this (in the red circle) is my SubscriptionID.

Next thing is the Active Directory Access…

I subscribed the “Microsoft Azure Active Directory” Service and added an App-Registration:

…with the “Required Permissions”:


in the left Section under Keys, you can generate your ClientKey.

… and i got the TennantID from the Entrypoints (all the same):

So i got my SubscriptionID / TennantID and ClientKey, where to get my ClientID ? Is that my ApplicationID shown in the last picture behind the long black bar ? If yes, this actually doesn’t work, getting the error message mentioned in my last post :frowning:

Or is there something else to configure ? I’m running out of options and hope you can help…

Thanks for your time !


#15

The client ID is the application ID.

See also: https://github.com/ManageIQ/azure-armrest/wiki/Adding-a-Service-Principal#using-just-the-new-portal


#16

any updates here ?
https://bugzilla.redhat.com/show_bug.cgi?id=1395106

why is this bug closed with insufficient data ?


#17

@schmandforke It was closed due to lack of data. I’m not familiar with CSP accounts, or if they can authenticate in a headless fashion.

Are you able to use “az login” on the command line with your CSP credentials?