question

NikitaPandey-6512 avatar image
0 Votes"
NikitaPandey-6512 asked ·

Created a web app in c#.net to access the key vault from azure by using App service but it is working if we run using iis express, but not working if we host on iis.. Why? since app will be hosted on iis only..

Following is the Code snippet:-

 using Microsoft.Azure.KeyVault;
 using Microsoft.Azure.Services.AppAuthentication;
 using SummitSecurity;
 using System;
 using System.Configuration;
 using System.Threading.Tasks;
 
 
 namespace Azure_WebApp
 {
 public partial class Azure_Form : System.Web.UI.Page
 {
 protected void Page_Load(object sender, EventArgs e)
 {
 }
 
 protected void Button1_Click(object sender, EventArgs e)
 {
 string str =ResultOnGetAsync().Result;
 Label1.Text = str.ToString();
 }
 public static string WMIUserPWDKey = string.Empty;
 
 public static string Message { get; set; }
 private static async Task<string> ResultOnGetAsync()
 {
 string ret = string.Empty;
 
 try
 {
 AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
 
 KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
 var secret = await keyVaultClient.GetSecretAsync("https://summitazurekey.vault.azure.net/secrets/AzureKey")
 .ConfigureAwait(false);
 
 Message = secret.Value;
 WMIUserPWDKey = fnDecrypt(secret.Tags["WMIUserPWDKey"].ToString(), "");
 string StrToEncryptAndDecrypt = "TestStringToEncryptAndDecrypt";
 string strEncrypted = string.Empty;
 strEncrypted = CommonExtensionMethods.QueryStringEncrypt(StrToEncryptAndDecrypt, WMIUserPWDKey);
 ret = $"AzureDecryptKey is {WMIUserPWDKey.ToString()}\n" +
 "" +
 $"{Encrypted()}";
 
 }
 catch(Exception ex)
 {
 
 Console.WriteLine(ex.ToString());
 }
 return ret;
 
 }
 static string Encrypted()
 {
 string StrToEncryptAndDecrypt = "TestStringToEncryptAndDecrypt";
 string strEncrypted = string.Empty;
 strEncrypted = CommonExtensionMethods.QueryStringEncrypt(StrToEncryptAndDecrypt, WMIUserPWDKey);
 string strDecrypted = string.Empty;
 strDecrypted = CommonExtensionMethods.QueryStringDecrypt(strEncrypted, WMIUserPWDKey);
 string EnDecKey = $"Encrypted: " +
 $"{strEncrypted.ToString()}\n" + "Decrypted: " +
 $"{strDecrypted.ToString()}";
 return EnDecKey;
 }
 
 // This method implements exponential backoff if there are 429 errors from Azure Key Vault
 private static long getWaitTime(int retryCount)
 {
 long waitTime = ((long)Math.Pow(2, retryCount) * 100L);
 return waitTime;
 }
 
 // This method fetches a token from Azure Active Directory, which can then be provided to Azure Key Vault to authenticate
 public async Task<string> GetAccessTokenAsync()
 {
 var azureServiceTokenProvider = new AzureServiceTokenProvider();
 string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://summitazurekey.vault.azure.net");
 return accessToken;
 }



The error I am getting is :-

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried the following 4 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Windows\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json" Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. Traceback (most recent call last): File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_session.py", line 48, in load File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\codecs.py", line 897, in open file = builtins.open(filename, mode, buffering) PermissionError: [Errno 13] Permission denied: 'C:\\Windows\\system32\\config\\systemprofile\.azure\\azureProfile.json' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\runpy.py", line 193, in run_module_as_main "main", mod_spec) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\runpy.py", line 85, in run_code exec(code, run_globals) File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli\azure\cli_main.py", line 33, in <module> File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_init.py", line 562, in get_default_cli File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_init.py", line 53, in init_ File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_session.py", line 61, in load File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_session.py", line 65, in save File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\codecs.py", line 897, in open file = builtins.open(filename, mode, buffering) PermissionError: [Errno 13] Permission denied: 'C:\\Windows\\system32\\config\\systemprofile\.azure\\azureProfile.json'

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Integrated Windows Auth is not supported for managed users. See https://aka.ms/adal-iwa for details.

I want know the solution here .. since app will be hosted on IIS only OR it is only due to some permission issue...

Please help me out as soon as possible.....

azure-webapps
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @NikitaPandey-6512, just to make sure I'm understanding; when you run the web app locally you're able to access the keyvault but when once you deploy your app to an app service, you're getting the connection string error correct?

And you've created a managed identity associated with your app and gave that identity permissions to the key vault?

0 Votes 0 · ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

I have got a confirmation from Nikita on MSDN thread that the below steps helped resolved her issue -

  • Configure Application pool to run as your user account.

  • Configure setProfileEnvironment to True. Go to %windir%\System32\inetsrv\config\applicationHost.config Search for "setProfileEnvironment". If it's set to "False", change it to "True". If it's not present, add it as an attribute to the processModel element (/configuration/system.applicationHost/applicationPools/applicationPoolDefaults/processModel/@setProfileEnvironment), and set it to "True".

Also, this issue is duplicate of these two -

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.