Azure Stack - Account setup

Terje's Avatar

Terje

14 Nov, 2017 09:44 AM

We are trying to connect to an Azure Stack environment, but have some issues. Using the Azure overrides I can change the management url of Azure Stack, but getting error on token validation. I've gotten as far as to get this message:

Unable to verify Azure Account:
 The access token has been obtained from wrong audience or resource 'https://management.***/'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.***.onmicrosoft.com/***','https://graph.windows.net/'.

But that one I cannot fix... When configuring Powershell AzureRM (see https://docs.microsoft.com/en-us/azure/azure-stack/user/azure-stack-powershell-configure-user) you also have to set the GraphAudience to https://graph.windows.net/, which is probably what is missing here. This is assuming Azure Stack is using Azure AD authentication, with ADFS it is different graph endpoint.

I've managed to somewhat work around this for now though. In azure overrides I set environment name to AzureStack and then on build server I've created that endpoint manually in powershell, and enabled context saving for AzureRm. So when I'm using the Powershell script step, and set Octopus.Action.Azure.UseBundledAzurePowerShellModules to false it is working since it's finding the environment I manually configured. This of course only works if updating AzureRM Powershell to latest version and setting that variable. So in every project now have to set the variable or it will fail..

The Azure Resource deployment fails however. I saw another thread suggesting using an Azure Powershell script step and run deployment from that, which I can do for now. But would be nice if that could also work in this scenario.

  1. Support Staff 1 Posted by Daniel Fischer on 23 Nov, 2017 06:13 AM

    Daniel Fischer's Avatar

    Hi,

    Thanks for getting in touch here. I'm sorry for the delay in getting a response back to you. I have run this past various developers and team members, it looks like our help may be limited here currently. As Azure Stack is quite new and quite complex, we do not currently have the infrastructure in place be able to internally develop/test any kind of consistent fix. This means we can not be certain what would work to resolve your issue. It is possible that some calamari code changes could help so we are going to look a bit deeper into this avenue.

    We are going to continue keeping an eye on any reports of issues with Azure Stack and investigating. However, currently its not something our developers are able to fix.

    I am sorry again for the delay in responding to you and for the complete lack of help I was able to provide in my response.

    Best regards,
    Daniel

  2. 2 Posted by Terje on 23 Nov, 2017 07:34 AM

    Terje's Avatar

    Thanks for the feedback. I understand it is not easy to test and develop against. I have managed to work around it for now, just cannot use the "Azure Resource Group" deployment step, since it always fails with same error as I get when trying to verify account.

    If it at least was possible to specify the graph uri in Azure account setup I think that could help solve this. If you need any help verifying fix I'll gladly help as we do have a running Azure Stack now.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac