question

AdityaDhole-7130 avatar image
0 Votes"
AdityaDhole-7130 asked AdityaDhole-7130 commented

Indirect CNAME validation for custom domain in Storage Accounts not working?

I am trying to map a custom domain to a Azure Storage blob service endpoint using indirect CNAME validation. For the purposes of this question, assume that the custom domain is www.example-domain.com. As per the official Azure documentation, I have created a CNAME record with my domain registrar, mapping the "asverify.www" subdomain to "asverify.<storage_account_name>.blob.core.windows.net.

Post this, I have logged on the Azure Portal and navigated to my storage account. There, under the Networking tab, I have selected the custom domain tab, and have entered the custom domain URL (www.example-domain.com). Since I want to use the Indirect CNAME Validation option, I checked the corresponding checkbox and clicked on 'Save'. I got a notification saying that the operation was successful.

However, when I inspect the Resource JSON of the storage account, I cannot see the parameter 'use_subdomain' or 'use_subdomain_name', which indicates whether indirect CNAME validation is set or not. Even when I retrieve the details of my storage account via Azure CLI, it shows the 'custom_domain' block within which, the name parameter is set to the custom domain URL, but the 'use_subdomain_name' parameter is set to null.

Please find the screenshot of the Resource JSON and output from Azure CLI below. These have been captured after the custom domain was successfully mapped to the blob storage endpoint, with indirect CNAME validation set to true (through Portal)

Resource JSON - Azure Portal

117357-image.png

Azure CLI - output of command "az storage account show --ids <my-storage-account-id>"
(Relevant part is highlighted in bold)

{
"accessTier": "Hot",
"allowBlobPublicAccess": false,
"azureFilesIdentityBasedAuthentication": {
"activeDirectoryProperties": {
"azureStorageSid": "S-1-5-21-41432690-3719764436-1984117282-2110",
"domainGuid": "b63b4f44-58b9-49cf-8911-b36e8575d5eb",
"domainName": "User01",
"domainSid": "S-1-5-21-41432690-3719764436-1984117282",
"forestName": "User01.com",
"netBiosDomainName": "USER01"
},
"directoryServiceOptions": "AD"
},
"blobRestoreStatus": null,
"creationTime": "2021-07-23T06:04:02.212232+00:00",
"customDomain": {
"name": "www.example-domain.com",
"useSubDomainName": null
},

"enableHttpsTrafficOnly": false,
"encryption": {
"keySource": "Microsoft.Storage",
"keyVaultProperties": null,
"requireInfrastructureEncryption": null,
"services": {
"blob": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2021-07-23T06:04:02.305920+00:00"
},
"file": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2021-07-23T06:04:02.305920+00:00"
},
"queue": null,
"table": null
}
},
"failoverInProgress": null,
"geoReplicationStats": null,
"id": "/subscriptions<subscription-id>/resourceGroups/AZ-900RG/providers/Microsoft.Storage/storageAccounts/example266072021",
"identity": {
"principalId": null,
"tenantId": null
},
"isHnsEnabled": false,
"kind": "StorageV2",
"largeFileSharesState": null,
"lastGeoFailoverTime": null,
"location": "eastus",
"minimumTlsVersion": "TLS1_0",
"name": "example266072021",
"networkRuleSet": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": [],
"resourceAccessRules": [],
"virtualNetworkRules": []
},
"primaryEndpoints": {
"blob": "https://example266072021.blob.core.windows.net/",
"dfs": "https://example266072021.dfs.core.windows.net/",
"file": "https://example266072021.file.core.windows.net/",
"internetEndpoints": null,
"microsoftEndpoints": null,
"queue": "https://example266072021.queue.core.windows.net/",
"table": "https://example266072021.table.core.windows.net/",
"web": "https://example266072021.z13.web.core.windows.net/"
},
"primaryLocation": "eastus",
"privateEndpointConnections": [],
"provisioningState": "Succeeded",
"resourceGroup": "AZ-900RG",
"routingPreference": null,
"secondaryEndpoints": null,
"secondaryLocation": null,
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"statusOfPrimary": "available",
"statusOfSecondary": null,
"tags": {},
"type": "Microsoft.Storage/storageAccounts"

Could someone please let me know why this is happening, or if this is the intended behaviour (because in case of Resource JSON, even when indirect CNAME validation is set to false, the JSON does not contain the 'use_subdomain'/'use_subdomain_name' parameter)


Thanks in advance!

azure-storage-accounts
image.png (47.4 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AdityaDhole-7130 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.. I am checking on this thread

1 Vote 1 ·

Hi, any updates on this?

0 Votes 0 ·

@AdityaDhole-7130 118157-capture.png
think this is the reason why get storage account is not reflecting this info(Can you cross verify the Storage account again) before we start the further troubleshooting

Also check the REST doc: https://docs.microsoft.com/en-us/rest/api/storagerp/storage-accounts/update#customdomain



0 Votes 0 ·
capture.png (27.5 KiB)
Show more comments

0 Answers