Azure AD Domain Services fails due to unsuccessful connectivity test - azure-active-directory

Provisioning an instance of Azure AD Domain Services keeps on failing with the following message:
Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xx.xx.xx:5986
Any ideas?

From : https://github.com/MicrosoftDocs/azure-docs/issues/43240
"message" : The resource operation completed with terminal provisioning state 'Failed'
"details":[{"code":"InternalError","message":"Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.190.251.173:5986"}]
Other people who have experienced this issue typically had something to do with VPNs, ExpressRoutes, or other special network setups.
I would suggest checking all your network connections and if you have any unique connections
Wait a few hours or until the next day to try again, as there may be some transient network related issues.
If that does not work, try reinstalling AAD DS on the server.
In addition to that : Please take into consideration Domain service instances using Classic Virtual networks are not supported.
Also I want to share with you the documentation for prerequisites, tutorial, network, notifications.
Prerequisites:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Tutorial to create the instance
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
Network security group rules require to setup the Azure AD DS
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/network-considerations#network-security-groups-and-required-ports
Notifications to assist and manage alerts on the ADDS
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/notifications

Make sure the network security group attached to the AADDS subnet is setup properly.
I was able to reproduce the error when the NSG did not have the required inbound rules
Error: waiting for Domain Service (Name: "", Resource Group: ""): Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.198.186.xxx:5986"
The following NSG entries fixed the issue described above.
Also make sure you set the DNS servers on the vnet to the IP addresses that will be assigned to the DC before you deploy the AADDS service.

Related

Issue in Logic app workflow connects to eventhub

I am getting below error in my logic app workflow, I have schedular->MQ->Azure EventHub connectors. I can see message coming till MQ and there is failure in eventhub with below error. Appreciate for any suggestion why this error is comming up, and how to overcome this.
"BadRequest. Http request failed as there is an error: 'The SSL connection could not be established, see inner exception."
You might be receiving this due to Authentication or certificate errors.
You can check for the connection you are establishing while creating the event hub connector.
Authorize access to an event hub by using a Sytem assigned managed identity.
Try checking certificate expiration - To configure service principals with certificate credentials where Azure AD can be used to build a service principal with restricted access at the resource level. Azure Key Vault may be utilised with Azure-managed identities in both scenarios, such that the runtime environment, such as an Azure function, can get the credential from the key vault.
Also you can try checking the inner exception that is occuring and take further actions accordingly.
REFERENCES:
Azure security baseline for Event Hubs
Authentication a managed identity with Azure Active Directory

Query of on-premises SQL Server from Azure web app (over Azure S2S VPN) fails

Our infrastructure team has worked to configure a site-to-site Azure VPN connection between our Azure subscription and our on-prem firewall, essentially following these steps. To test this, we've created a simple Azure web app that makes a query against a SQL Server that is located on-prem behind the firewall.
This web app works locally with no issues. Furthermore, the same code and connection string, when compiled as a console application and run on an Azure virtual machine, works correctly as well. But when deployed to the web app in Azure, the connection to the SQL Server fails:
[Win32Exception (0x80004005): The wait operation timed out]
[SqlException (0x80131904): A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The
server was not found or was not accessible. Verify that the instance
name is correct and that SQL Server is configured to allow remote
connections. (provider: TCP Provider, error: 0 - The wait operation
timed out.)]
Both the Azure VM and web app are configured to point to the Azure VNet. It seems like something is preventing the web app from communicating with the SQL Server on its default port (1433). If I open up the web app's debug console and do a tcpping at the SQL Server with the default port (80), it returns successfully. But a tcpping to port 1433 times out.
It doesn't appear that the Azure Network Security Group is blocking that port:
The only solutions I've found that are relevant to our specific setup basically boil down to "use Azure Hybrid Connections instead", which would not be our first choice.
After working with Microsoft's support, the following changes were made and the VNet integration is working now. I apologize for the lack of detail on some of these, but our infrastructure team did most of the troubleshooting. Hopefully, some of these items will help point someone else the direction of a solution for their setup:
Initially, the connection was being made through public internet and not the VNET Integration and VPN. We identified that the VNET integration was failing due to the tunnel type being used. Azure App Service has a requirement that the tunnel type is SSTP. Once we changed it and synced the network, we were able to tcpping the SQL Server through its private IP.
We noticed it had to allow on the on-premises Network the point-to-site address pool. As a workaround, we decided to use the New VNET Integration (Preview). We created an empty subnet and were able to use this new feature.
We noticed then the App Service was not using the custom DNS. To resolve this, we added the DNS on the Virtual Network and also in the App Settings ("WEBSITE_DNS_SERVER") for the web app.

Azure AWS Db Connection

I’m having a very specific issue with Azure and I couldn’t find any solution on the web.
So, we are little by little migrating our client’s infrastructure to Azure and we are starting with our Workers (webjobs).
These webjobs need to consume data present on a AWS SQL Server instance.
We already have checked that the App Service Plan’s Outbound IPs are whitelisted and that the SQL server is listening on TCP port 1433.
An evidence of that is the fact that we are able to communicate with the SQL Server instance through the Azure Debug Console:
But when we run the WebApp, the worker cannot find and connect to the same DB:
Does anyone have a clue of how I can solve this issue? It would be very appreciated!
Well, as you demonstrated by the first image, the SQL Server instance is configured correctly.
The worker Outbound IP address is definetely the same as the App Service Plan's machine.
Based on that, can you then please check if the Connection string you are setting have 'tcp:' before the IP Address?
Sometimes you need to force it, otherwise IIS can choose other ways to connect to your SQL server (like UDP for instance).

JDBC Connection times out in deployed web app with hosting service

I am using JDBC to create a connection to an MS SQL Server Database. The same code and connection string works fine on a number of platforms and in particular in my spring MVC Web Application.
After deploying the web application to a remote tomcat hosting service, everything appears to work fine in the code except that the database connection times out.
"com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host <IP Address>, port 1433 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall."
The hosting company says I must provide the exact steps to recreate the problem which may not be ideal. The only thing I can think of is to write another cut down application that connects to a different db with different credentials and test that in dev and deploy and then email them the war so they can deploy it and test it in their own environment.
Does anyone know of reasons why this might happen with a hosting service, like blocking the database response for some reason? Or is this very unlikely and should I assume that I am doing something wrong and persevere in understanding what might be different between my dev app and deployed app that could cause this timeout. Not that I can think of anything.
I don't want to take all that time if there is a common reason why this might happen that someone could point me to.
Thank you.

Kerberos Delegation for Clients Ouside the Firewall

I am trying to run a SQL Server Reporting Services where the data for the report is on a SQL Server database that's on a different server. Integrated Authentication is turned on for both the Report Server and the report. I have confirmed that Kerberos delegation is working fine by using Internet Explorer to run the report from inside the network.
However, when I open the report server through the firewall, I cannot run the report. I get the following error: An error has occurred during report processing. Cannot create a connection to data source 'frattoxppro2'. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Does Kerberos authentication not work outside a firewall?
Kerberos requires a port 88 connection to the KDC, in this case, most likely your DC.
What you probably want to look at is HTTPS + Basic Authentication + Protocol Transition to take the Basic Authentication and translate it into a DC based Kerberos Ticket for delegation and back end authentication.
Protocol Transition with
Constrained Delegation Technical
Supplement
How To: Use Protocol Transition and
Constrained Delegation in
ASP.NET
Not exactly the easiest to set up, but when its working, it works amazingly well.
I'm not really in a position to tell you why kerberos isn't working for you, but did have a alternative suggestion for your configuration. You can use ISA services to expose the reporting server rather than simply poking a hole in your firewall. This is something our company has done successfully - it republishes the reporting services site so the browsers are talking to ISA, not directly to the server. ISA Services is quite happy to pass through your credentials as well.

Resources