question

TaranjeetSinghMalik-1964 avatar image
1 Vote"
TaranjeetSinghMalik-1964 asked SadiqhAhmed-MSFT answered

Azure Migrate: Discovery and Assessment - Error 2147942405: Access Denied

Hi

We're trying to perform discovery and assessment of a single AWS VM. Have downloaded and installed the appliance locally on the VM. The:

  1. Setup prerequisites (connectivity to Azure, Time sync, and updates) passed

  2. AM appliance got registered

  3. Entered the physical server credentials and tried validating, however, this is failing with the below error

123348-access-denied-error.png




This is a workgroup system and the account used is a member of these groups:

  1. Local Administrator

  2. Performance Log Users

  3. Performance Monitor Users

  4. Remote Management Users

Followed the guidance here--> https://docs.microsoft.com/en-us/azure/migrate/troubleshoot-appliance#access-is-denied-when-connecting-to-physical-servers-during-validation

and here

https://docs.microsoft.com/en-us/azure/migrate/troubleshoot-discovery#error-9022-getwmiobjectaccessdenied


Also validated that the machine is accessible over Port 5985 (WinRM).

Any further suggestions / articles to troubleshoot the issue please?


Thanks
Taranjeet Singh




azure-migrate
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @TaranjeetSinghMalik-1964 - Sorry for the inconvenience this must have caused!

Sharing the solution from a similar issue worked by Azure migrate technical support team.

123567-image.png
123661-image.png
123671-image.png

Hope it helps!


If the response helped, do "Accept Answer" and up-vote it.


0 Votes 0 ·
image.png (31.0 KiB)
image.png (75.6 KiB)
image.png (72.0 KiB)

Hi @SadiqhAhmed-MSFT

Thanks for your time and suggestions. My bad, I should have included this in my initial query. The suggestions you made were already tested by us on two systems without luck.

Looking forward to any further information.



Thanks
Taranjeet Singh

0 Votes 0 ·
SadiqhAhmed-MSFT avatar image SadiqhAhmed-MSFT TaranjeetSinghMalik-1964 ·

@TaranjeetSinghMalik-1964 - The query needs a further deeper dive technically.

I recommend you to create a technical support ticket. The ticket enables you to work closely with the support engineers and get a quick resolution to your issue.

Here is the link - https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request to create support case.

0 Votes 0 ·

1 Answer

SadiqhAhmed-MSFT avatar image
0 Votes"
SadiqhAhmed-MSFT answered

Sharing the solution with broader community!

Here is a summary of this case for your reference:

Issue Definition:
Source validation failed with "Access is denied" when connecting to physical server.



Root Cause Analysis:
We confirmed the user account has the documented privileges and checked registry for UAC and appliance. Confirmed the WinRM is working fine.



Per testing, we added host name and public IP in hosts, then we can pass the validation by using host name and local host, but still failed validation with public IP.



Discovery completed successfully as expected.

Per investigation by Ipsit, the machines created are configured as default with a private VPC. This would explain the reason why the Public IP failed to validate successfully. The loopback path as verified from nslookup stands correct as it uses a Private IP defined DNS network. Now we had 2 machines A and B:
A trying to connect to A with a public IP address failed since A being part of a private Network was using the local DNS to identify the destination. The local VPC usually does not have global NAT data so the address translation of the public IP to a Private IP fails. The reason for this being public IPs of a machine are assigned and stored by the network provider which in this case is AWS.

In the scenario where B connects to A or A connects to B wherein they are both part of the subnet but created independent of each other. The address translation was possible as B lies outside A’s VPC, so global AWS NAT for that environment was able to get the private IP of A associated public IP of A. Hence the connection from B to A and A to B were successful.

More details can be found in the AWS documentation.


If the response helped, do "Accept Answer" and up-vote it.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.