Issue in Logic app workflow connects to eventhub - azure-logic-apps

I am getting below error in my logic app workflow, I have schedular->MQ->Azure EventHub connectors. I can see message coming till MQ and there is failure in eventhub with below error. Appreciate for any suggestion why this error is comming up, and how to overcome this.
"BadRequest. Http request failed as there is an error: 'The SSL connection could not be established, see inner exception."

You might be receiving this due to Authentication or certificate errors.
You can check for the connection you are establishing while creating the event hub connector.
Authorize access to an event hub by using a Sytem assigned managed identity.
Try checking certificate expiration - To configure service principals with certificate credentials where Azure AD can be used to build a service principal with restricted access at the resource level. Azure Key Vault may be utilised with Azure-managed identities in both scenarios, such that the runtime environment, such as an Azure function, can get the credential from the key vault.
Also you can try checking the inner exception that is occuring and take further actions accordingly.
REFERENCES:
Azure security baseline for Event Hubs
Authentication a managed identity with Azure Active Directory

Related

Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue

I am getting this error. How can I configure this? I am setting up a virtual machine to login my AD Account. I want to log my office 365 account and members to access the virtual machine machine. Right now I am configuring the AD account connectivity.
These are errors from logs :
[05:00:31.709] [ 27] [ERROR] ExecuteADSyncConfiguration: configuration failed. Skipping export of synchronization policy. resultStatus=Failed
[05:00:31.710] [ 27] [ERROR] PerformConfigurationPageViewModel: An error occurred while creating the synchronization service account in Azure AD. The error was: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
[05:00:31.710] [ 27] [ERROR] PerformConfigurationPageViewModel: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
[05:03:10.957] [ 1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20221220-041351.log
I tried to reproduce the same in my environment and got the same error like below:
Unable to create the synchronization service account for Azure ActiveDirectory
This error occurs, the account authenticates earlier in the session conditional Access is blocking the account you are using as the Azure AD admin account when you are going through the wizard ref:
To resolve this error: Login with admin account -> sing-in logs under monitoring -> check the user sign-in logs and non-interactive log are failure.
Check if multiple access policy is enabled in service account try to disable it orelse and try to exclude your Ip range like below:
When MFA is enabled in the Azure Environment, the Sync Account will incorrectly detect error message try to disable MFA for the account and restarting the wizard.
Now, when I try to connect azure AD account it configured successfully like below:
Install azure ad connect successfully like below:
Reference:
Azure AD Connect – Unable to Create the Synchronization Service Account for Azure AD – by Sam's Corner
Unable to create the syncronization service account for Azure Active Directory- Microsoft by mfreitas

Identity Server 4 Error - 'Unrecognized SAML service provider - cannot find Client configuration'

I want to establish SAML connection between one external service provider with Identity server 4.
Steps which are performed.
Captured SAML metadata of IS4 application
Configured Service provider with IS4 metadata
While verification, I get below Error on IS4 application.
"Invalid Service Provider; Unrecognized SAML service provider - cannot find Client configuration".
Any idea what exactly I am missing here?
Thanks
(IS4 - Identity Server 4)
I was able to find out root cause of this issue, for SAML Service provider below setting was in place due to this communication was failing.
AuthnRequestsSigned="false"
WantAssertionsSigned="false"
So, I had change setting in 'Identity server - service provider' to turn off this validation.

Role error while configuring saml signing certificate for robin powered

Error : Your role does not have the permissions required to manage signing certificates.
How to fix this?
Previously I was able to setup up signle signon for multiple applications but I didnt receive any error related signing certificate but robin powered is not allowing
To configure certificate you should be a member of One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Azure AD Domain Services fails due to unsuccessful connectivity test

Provisioning an instance of Azure AD Domain Services keeps on failing with the following message:
Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xx.xx.xx:5986
Any ideas?
From : https://github.com/MicrosoftDocs/azure-docs/issues/43240
"message" : The resource operation completed with terminal provisioning state 'Failed'
"details":[{"code":"InternalError","message":"Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.190.251.173:5986"}]
Other people who have experienced this issue typically had something to do with VPNs, ExpressRoutes, or other special network setups.
I would suggest checking all your network connections and if you have any unique connections
Wait a few hours or until the next day to try again, as there may be some transient network related issues.
If that does not work, try reinstalling AAD DS on the server.
In addition to that : Please take into consideration Domain service instances using Classic Virtual networks are not supported.
Also I want to share with you the documentation for prerequisites, tutorial, network, notifications.
Prerequisites:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Tutorial to create the instance
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
Network security group rules require to setup the Azure AD DS
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/network-considerations#network-security-groups-and-required-ports
Notifications to assist and manage alerts on the ADDS
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/notifications
Make sure the network security group attached to the AADDS subnet is setup properly.
I was able to reproduce the error when the NSG did not have the required inbound rules
Error: waiting for Domain Service (Name: "", Resource Group: ""): Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.198.186.xxx:5986"
The following NSG entries fixed the issue described above.
Also make sure you set the DNS servers on the vnet to the IP addresses that will be assigned to the DC before you deploy the AADDS service.

Use Azure VM Sql server database as source for Azure Analysis Services model

is it possible to use a database created in a Azure VM as a data source for model which is created in Azure Analysis Services?
So far, when I specify connection properties for the model in the web designer and test connection, I get an error stating "a connection was successfully established with the server, but then an error occurred during the login process. (provider SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
I can connect to the server via SSMS and via RDP.
I created a self-signed certificate in the azure key vault and was able to make the SQL server use it. However I can't seem to find out how to make use of it when connecting the model.
Does anyone know if it's possible and if so, what should I do to make it work?
In the end I managed to make it work. For anyone with similar problem, I will write my solution below.
For the error "The certificate chain was issued by an authority that is not trusted" - just as discussed in the thread linked by TJB in comment, this was because I did not have a CA signed certificate, but a self-signed one.
A CA signed certificate from Azure would probably solve the issue, but I tried the Let's Encrypt site (also linked in the other thread). The issue I had with Let's Encrypt was that I had a windows server, while they natively support linux-based systems.
However I found an article by Daniel Hutmacher called Encrypting SQL Server connections with Let’s Encrypt certificates which was solving the very issue I had.
(as for the client tool, the current version is different from the one described in the article, but you can still download the old version on github. I used the lastest november 2017 release). With this I was able to generate and add a CA signed certificate to SQL server.
At this point, I created a model in Azure Analytics Services, used Azure Database as type of source/connection and filled in the connection to my VM SQL server. I saw my database tables, but when I tried to query data, I got a new error, stating that the AAS need an On-premise data gateway set up.
The Microsoft docs Install and configure an on-premises data gateway describes how to install on-premise data gateway on the VM, but if you are like me and use personal account for azure, you will have issues binding your account to the gateway. The solution as hinted here is to create a new account in Azure Active Directory (I created a new user and registered it under my azure custom domain, so the login looked like XXX#zzz.onmicrosoft.com). I gave the user admin role, so as to temporarily avoid any azure permission setbacks. Next I added the user to my subscription via Subscriptions -> "My_subscription" -> Access Control (IAM) and assigned an owner role to the AD user.
Now back on my VM I could bind the new user's account to the gateway (don't forget to change the gateway's region to your preferred region before finishing the setup).
Next, on Azure I created an "on-premise data gateway" service (do note you need to select same region as the one which your VM gateway is located under). I am not sure now, if only the new AD user I created could see the gateway, so in case you do not see it, try the AD user as well.
Last but not least, in the Azure Analytics services I went to the "on-premises data gateway" settings and set it to use the one I just created.
With this I was able to create the model and query the data from database.
Note:
In the model web designed for analytics services I happened to be logged in under the AD user, not under my personal account. Attempting to change the account to my personal one ended up in login failure, however after a few such attempts and opening multiple web designers in separated tabs, I correctly logged in under my personal account. After a while I could no longer replicate the issue.
I guess the issue may have been that I was logged in to Azure under both my personal account and the AD user at the same time in same browser when setting eveything up.

Resources