I have followed this tutorial to create the first azure application
http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_IntroToWindowsAzureLabVS2010
Because after deployment its not working on the following url
http://24fb8b6a055d4ab2a556218f62d6dbe1.cloudapp.net/
I found the following link helpful to connect via remote desktop to be able to see the error:
http://wely-lau.net/tag/remote-desktop/
However, after following all steps, I get the following error
Remote Desktop can’t connect to the remote computer for one of these
reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network
Make sure the remote computer is turned on and connected to the
network, and that remote access is enabled.
In:
ServiceConfiguration.Cloud.cscfg
I have this contents
<?xml version="1.0"?>
<ServiceConfiguration serviceName="GuestBook" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration">
<Role name="GuestBook_WebRole">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="DefaultEndpointsProtocol=https;AccountName=luisvalenciaguestbook;AccountKey=x" />
<Setting name="DataConnectionString" value="DefaultEndpointsProtocol=https;AccountName=luisvalenciaguestbook;AccountKey=x" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="levalencia" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="x" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2012-12-16T23:59:59.0000000+01:00" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="x" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
<Role name="GuestBook_WorkerRole">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="DefaultEndpointsProtocol=https;AccountName=luisvalenciaguestbook;AccountKey=x" />
<Setting name="DataConnectionString" value="DefaultEndpointsProtocol=https;AccountName=luisvalenciaguestbook;AccountKey=x" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="levalencia" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="x" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2012-12-16T23:59:59.0000000+01:00" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="x" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>
By default Remote Desktop for Azure uses the usual TCP port 3389: you'll need to have this enabled outbound at your corporate firewall.
An alternative approach to setting up Remote Desktop through the configuration files directly or through Visual Studio is to use the Azure Management Portal to modify them temporarily. This is rather easier and somewhat less error prone, especially where certificates are concerned.
Sign in to the management portal as usual, and choose "Hosted Services". Then find the service you'd like to configure.
The next step is to configure the Web Role or Worker Role to allow Remote Desktop connections: this will adjust the configuration file for the service, so any changes here will be lost when you next upgrade or reimage. Select the role, then in the toolbar ensure "Enable" is checked on, and choose Configure:
You'll be prompted for the username, password, certificate and expiry time.
Choose OK. If you've made changes to the configuration it can take a little while (sometimes several minutes) for them to be applied.
Once the instances are marked as "ready" again, you can then select one and choose Connect:
This will download a file with the extension .rdp, which you can then open to connect to the remote host. (You will most likely see some security warnings when you do so.)
If you still see the warning about being unable to connect to the remote host then there are a couple of things to explore: certificates and firewall issues. In my experience the "manual" process, configuring the remote desktop settings in Azure through the portal, usually gets around any issues with certificates.
Firewall issues are harder to resolve. You may find that using Windows Azure Connect -- which in essence creates a secure VPN connection from your PC to the Azure instances -- allows you to access the Azure host directly, tunnelling across your corporate firewall.
If you are exposing a https endpoint, make sure you also expose an http endpoint. This solved the same issue for me with a data service I am hosting in a webrole.
All the above didn't work for me.
Enter your credentials, prefixed with . E.g. “\maarten”. This is done to strip off the Windows domain from the credentials entered.
Its somehow strange that is not documented anywhere and it should be stripped off by the windows azure RD manager !
I had this problem and nothing worked, I couldn't Remote Desktop in even though the role was fully working.
It turns out there is a known issue with Azure SDK 1.7 and 1.8. Here is the info I received from Microsoft:
A timing issue in a role startup in SDK versions 1.7 and 1.8 sometimes causes a firewall rule required by the Remote Forwarder Service to be deleted. Restart of the service will correct the problem and recreate the firewall rule but this is not a persistent fix. Any redeployment or restart of the role instance may cause the problem to reoccur.
Work Around:
Azure application developers can implement a custom startup task that refers to a *.cmd file (e.g. RemoteForwarderConfig.cmd) as described below. This will ensure a firewall rule is created that opens ports for the Remote Forwarder Service. This startup task should be added to the role designated for running the remote forwarder.
Documentation on startup tasks is available at http://msdn.microsoft.com/en-us/library/windowsazure/gg456327.aspx
Example task config:
<Task commandLine="RemoteForwarderConfig.cmd" executionContext="elevated" taskType="background"></Task>
Example task cmd file contents:
#echo off
netsh advfirewall firewall add rule name="RemoteForwarderService custom rule" description="Allow incoming connections to the remote forwarder" dir=in protocol=tcp program="%ProgramFiles%\Windows Azure Remote Forwarder\RemoteForwarder\RemoteForwarderService.exe" action=allow enable=yes
I had this issue and couldn't figure it out.
Turned out the password wasn't complex enough however it didn't inform me of this at any point. Adding a more complex password and logging in with \YourUsername sorted it for me!
Related
I’m getting the following behavior when I try to launch an Azure Cloud Service locally
1) Popup that the debugging environment is getting ready is shown (step1.jpg)
2) Message “Your about to be signed out, crypto settings changed” is shown (step2.jpg)
3) Force restart of the notebook is performed (step3.jpg)
This is happening constantly in both debug and start without debugging options.
I tried changing the properties of the azure cloud service but it didn’t help. I also tried to use the internet what does this message mean and could not find any relevant data. appreciate ANY help. Thanks!
Check you ServiceDefinition.csdef for startup tasks. I think you maybe running the DisableSslv3.cmd script on your local machine causing it to force a restart. Just comment out the line while debugging locally.
In addition to the answer of #user2282308, I would say that in a more global approach, it worth to check the startup tasks in the serviceDefinition.csdef and verify that all tasks are executed as "expected".
#user22822308 spoke about DisableSslv3.cmd, but on my side, the issue was that the script runTLSsettings.cmd should be executed only when running on Azure service (this script ends with a reboot of the machine and the famous "crypto settings changed")
This is the serviceDefinition.csdef integration that is proposed by Microsoft for the runTLSSettings script:
<Startup>
<Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd">
</Task>
</Startup>
This is ok when debugging your cloud service in Visual Studio 2019, but as soon as you try to debug with Visual Studio 2022 you will receive the "Crypto settings changed".
My feeling is that the startup task is not done in VS 2019 meanwhile it is done in VS 2022.
Thus, what is missing is the definition of the environment variable that indicate to runTLSSettings script if we are running on emulator or not.
The environment variable definition is well explained in this other microsoft documentation:
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-startup-tasks#environment-variables
At the end, this is the correct csdef:
<Startup>
<Task commandLine="runTLSSettings.cmd" executionContext="limited" taskType="simple">
<Environment>
<Variable name="ComputeEmulatorRunning">
<RoleInstanceValue xpath="/RoleEnvironment/Deployment/#emulated" />
</Variable>
</Environment>
</Task>
This happens every single time I run Visual Studio without elevated privilege's. When I start debugging the cloud service and the azure emulator starts, I get this message and the computer reboots.
My cloud service has the following config:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration ...>
<Role name="...">
<ConfigurationSettings>
<Setting name="MyCertThumbprint" value="AB687DC9F63D51AE6E9522B86B97EFD15F55EA42" />
</ConfigurationSettings>
<Certificates>
<Certificate name="MyCert" thumbprint="AB687DC9F63D51AE6E9522B86B97EFD15F55EA42" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>
See the redundance?
I want to get rid of MyCertThumbprint config. Is there an Azure API that gives me access to the thumbprint of MyCert? Or maybe the X509Certificate2 instance itself (i.e. without having to search for it using X509Store) ?
Sure - if you know other information about the certificate, you can use any of the X509FindType Enumerations with X509Certificate2Collection.Find Method. Unfortunately, the Certificates section of the ServiceConfiguration is for locating the certificate in the Cloud Service certificate store and installing that certificate on the VMs associated with the Role you are deploying. There is no API to access the section directly. So your choice is to hard code something like the certificate subject name or the thumbprint and hope it doesn't change, or add a setting like you've demonstrated in your code sample that is configurable with each deployment.
The ConfigurationSettings section mirrors the appSettings section in the web.config file and when used in conjunction with CloudConfigurationManager.GetSetting("settingsKey") with look first in the ServiceConnfiguration then in the web.config for application settings, allowing you to un local in an emulator or just IIS express and achieve the same functionality. So we duplicate the settings in both ServiceConfiguration and web.config.
I am calling a web service (for sms sending) in my asp.net web application. When my web application is on Developer Server, the web service is called and everything is fine, the expected results are returned. However, when the application is run on IIS, I cannot call the web service and I get this WebException:
"Unable to connect to the remote server"
And in details, InnerException, the message is "No connection could be made because the target machine actively refused it SomeIP:SomePort" where SomeIP is the web service IP address and SomePort is 80
(I was suspecting the problem is the port 80, since pinging SomeIP returns a response but Telnet on SomeIP SomePort fails. But I'm not sure if this is really the problem, I mean, how could the application set a different port when run on IIS!)
I really appreciate any help or ideas!
I had a similar issue wherein the unit test was successfully able to call the external web service, while the asp.net mvc application I was working on was unable to.
I had to a web.config entry to make it work. I am sharing the config entry, which I think, could help people with a similar issue. By the way, this section goes directly under the root element within web.config file. Replace proxy server name and port as applicable in your context.
<system.net>
<defaultProxy>
<proxy proxyaddress="http://<proxy server name>:<port>" />
</defaultProxy>
<!--<defaultProxy enabled="true" useDefaultCredentials="true">
<proxy usesystemdefault="True" bypassonlocal="True" />
</defaultProxy>-->
</system.net>
I have some code that wraps the PayflowPro .NET API. It essentially posts to a HTTPS address (a payment gateway) from C#. I can run this code locally and it works nicely. I can run it in my MSUnit tests and it works, and I can run it from a console application on my test environment and it also works.
I have a workflow hosted in IIS 6.1, which instantiates a class which in turn calls this code. When this workflow is started the code fails everytime; I get an error like System.Exception: Failed to connect to host Input Server Uri = https://pilot-payflowpro.paypal.com/ from the API object.
This exception is coming from the API, but I am completely lost as to how I can succesfully post from a console application but not from an IIS process.
The class is exactly the same, word for word.
I log in as administrator, so the console app is running as administrator. Therefore I have tried using the administrator account for the application pool for the website (for this testing only, obviously)
The console app can post so therefore the firewall / proxy aren't interfering... right?
Is there anything I need to adjust in IIS to allow an application to communicate outside? Are there any obvious security settings that I'm overlooking? Any suggestions for test cases to run to find out what might be going on?
edit: Turns out that this problem is somehow related to the VM environment in which the server is running. This problem doesn't occur on my development box, the test server or the production server - it's only occurring on the integration server. The cause is still unknown but I am no longer working on it.
This might be caused by an ASP.NET trust configuration issue. To check the trust level open the following file in an editor:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config (if ASP.NET 2.0)
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\CONFIG\web.config (if ASP.NET 4.0)
You may also need to edit the C:\WINDOWS\Microsoft.NET\Framework64 versions of these if you're running on 64 bit Windows.
Scroll down to the <securityPolicy> configuration section which looks like:
<location allowOverride="false">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
<trust level="Medium" originUrl=""/>
</system.web>
</location>
If you see anything other than <trust level="Full" originUrl=""/> it means the server is running under Partial Trust.
Open the .config file specified by the relevant policyFile attribute, for example web_mediumtrust.config if level="Medium".
It's highly unlikely that the server will be running under anything less than Low Trust.
Locate the <NamedPermissionSets> section, under this there is a <PermissionSet> that looks like:
<PermissionSet
class="NamedPermissionSet"
version="1"
Name="ASP.Net">
This contains a number of <IPermission> nodes. Look for one that called WebPermission, it looks like this:
<IPermission
class="WebPermission"
version="1">
If it's missing or looks like:
<IPermission
class="WebPermission"
version="1">
<ConnectAccess>
<URI uri="$OriginHost$"/>
</ConnectAccess>
</IPermission>
You need to add or modify so it looks like:
<IPermission
class="WebPermission"
version="1"
Unrestricted="true"/>
This setting controls outbound and inbound access from your application to or from a URI.
It may also be necessary to ensure that the SocketPermission configuration is similarly configured:
<IPermission
class="SocketPermission"
version="1"
Unrestricted="true"/>
Turns out that this problem is somehow related to the VM environment in which the server is running. This problem doesn't occur on my development box, the test server or the production server - it's only occurring on the integration server. The cause is still unknown but I am no longer working on it.
The deployment requirements for my app (a windows service written in C#) state the presence of a Proxy server.
From my interaction with the person who will install my app:
1. His company blocks access to internet via the proxy
2. He needs to provide the path to the proxy script in his IE Config.
3. He also needs to input a user-name/password.
My application needs to access a publicly hosted WebService. In preparation, I sent him a test Winform app. In the app.config file I used the setting mentioned in this post .NET client app: how to reach Web Services in case of proxy?
However, it did not work. I customized the proxy setting in App.config as per his IE settings, yet nothing seemed to work.
I don't want to hard-code the proxy settings in my app using the System.Net classes. There is no doubt in my mind that I want to use the config file.
So, I want to install a proxy on a VPC image and try and get my application to run.
My question:
1. What is a good proxy that I can install on my VM (windows only - no linux/squid pls.) that will replicate the behaviour that I mentioned in 2 & 3 above.
2. In case it is of interest, the proxy settings I used was:
<system.net>
<defaultProxy >
<proxy usesystemdefault= “False“ proxyaddress=“http://10.1.10.10:8080“ bypassonlocal=“True“ />
</defaultProxy>
</system.net>
Assuming that the system will read the settings from IE, I also tried
<proxy autoDetect="true" />
It did not work.
Pls. let me know if my requirements are unclear.
The open source squid proxy has Windows binaries.
If you have a Windows Server OS in you VPC, you could try out Microsoft's very own ISA Server. There's a 180-day trial version here.