How can I add Managed Identity to a DevTest Labs VM? - azure-managed-identity

I want to develop and test MSI on my development Windows VM which I created with DevTest Labs.
Going into the VM directly on Identity (Preview) I can change the setting but the Save keeps being disabled.

I managed to achieve this with Azure CLI:
log in to Azure CLI, select Account
list VMs with az vm list
choose the VM to assign MSI to
run az vm identity assign --name {vm-name} -g {vms resource groupname}
checking in the portal, VM / Identity tab, the Identity has Status=On

Related

What is the request source-IP-address when it is originating from a docker container

I work within a corporation that has very strict security policies.
I am running a single docker container consisting of an asp.net core 3.1 mvc web-app. It is based on the default asp.net debian 10 image provided by microsoft.
I have only installed docker engine - so no docker compose - and have not had to do any additional set-up/config, but run the container by a simple command:
docker run -p port-x:port-y imagename:tag
when I navigate to http://host-Ip i can access the web-app from my windows dev machine.
However, the host is RHEL running in a very restricted enterprise network.
Now I need to connect to an external domain from within the container but that can only happen via an internal proxy.
The proxy team requires the source ip-address.
I have 2 questions:
would that be the host (RHEL) ip address?
Is there a way to test this (I cannot/not allowed to install custom software/libs into RHEL and have access to basic + limited set)?
If anyone stumbles upon this: The source ip-address is the RHEL host ip-address where the container is running

Restarting applications using Amazon CodeDeploy

We occasionally have the need to restart services that are deployed with AWS CodeDeploy. Is it possible to have the CodeDeploy agent do this directly, without having to create a new deployment?
The AWS service you're looking for is AWS Systems Manager. You can run arbitrary commands or scripts on instances with this2. All recent Ubuntu and Amazon Linux instances have AWS SSM agent installed. But if you have an older instance, you'll have to install the SSM agent manually or through your configuration manager.
No, you need to have a deployment to restart. The agent does not take actions on its own. It receives commands from the CodeDeploy service.
Depending on your usecase you can have your application emit CloudWatch event and have that trigger a deployment in the deploymentGroup. Note that it will create a deployment that will deploy to the entire fleet.
To expand on eternaltyro's answer, you could leverage CodeDeploy's CLI tool via SSM to run the same CodeDeploy event hooks that were/are used to start and stop your application.

Install webdeploy on W2016 IIS 10

How to install web deploy on IIS 10 W2016?
So far I have tried
Using web platform v5 to installation of "web deploy 3.6"
After installation I have updated the web deploy service to run under local admin account.
I have manually turned off the firewall on the server
I have ensured that Management Service is running
Restarted server
I have verified using telnet that the port is open and then using netstat -an that the port is open and I can connect to it
I have to install new management tool called "Management Service" in Windows Features
In order to install this:
Open server roles / feature
Find Management Tools
Check Management service
Update from other people experience
you might need to restart the service
Reinstall/Repair the installation of web deploy if you used installer
There is a option to install this feature using power-shell command(check the comment below) by Bart Verkoeijen.
This command is useful in case you are using Desired State Configuration (DSC)
I just did this on four servers, had to install management service first, then web deploy (or reinstall webdeploy if already installed). The management service install was in a slightly different location under server roles than described in other answers.
Hope this helps someone.
[![enter image description here][1]][1]

Windows authentication of an application hosted in Windows Container

I would like to use Windows authentication to access an ASP.NET application, hosted in a Windows Container (in Windows Server 2016 TP4). For this, I presume I need to add the container to the Active Directory domain. Is it all possible to add a Windows Container (or Hyper-V Container) to a domain? There is no clear documentation from Microsoft on this, and I myself tried adding the container to the domain using PowerShell, but with no luck.
If domain joining a Container is not supported, is there any alternative way to enable Windows Authentication in a web application hosted in a Windows or Hyper-V Container?
Any input will be highly appreciated.
Microsoft recently provided a solution for containers accessing resources using domain credentials: group managed service accounts.
Although Windows Containers cannot be domain-joined, they can also
take advantage of Active Directory domain identities similar to when a
device is realm-joined. With Windows Server 2012 R2 domain
controllers, we introduced a new domain account called a group Managed
Service Account (gMSA) which was designed to be shared by services.
Additionally, here's a guide that walks through the specific steps in detail, covering the following:
Deploying containers with an emulated domain identity is simple, and
based around existing workflows using Windows Server and Active
Directory.
Deploying this feature requires:
An existing Active Directory domain, running at Windows Server 2012 or
later functional level
Windows Server 2016 with the Container role and
Docker installed. This will be referred to as a Container host. These
hosts need to be joined to the domain.
This guide will cover the
following steps to deploy a container in detail:
Create a group Managed Service Account in the Active Directory for
each application/service
Give each container host access to use the
group Managed Service Account
Add configuration files on each
container host that store details about the group Managed Service
Accounts. These will be referred to as Credential Specs
Start
containers with a parameter telling which credential spec to use
Extract of the Windows Containers - Work in progress
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."

No HKEY_USERS registry entries created for ApplicationPoolIdentityUsers in Windows Server 2012R2

I've got an ASP.NET app that I'm developing on a Windows 8.1 machine and deploying to a Windows Server 2012R2 machine. This app starts a command line executable via a call to Diagnostics.Process.Start(). This command line executable writes some default entries in the registry under the HKEY_CURRENT_USER on first run for the respective user. These are later accessed via calls to Registry.CurrentUser.OpenSubKey().
When running the web app under its respective ApplicationPoolIdentity user on the 8.1 box it works perfectly well, but on the WS2012 box it does not. Upon further investigation it appears that 8.1 is creating entries under HKEY_USERS for these IIS virtual accounts, whereas WS2012 is not. NetworkService, DefaultAppPool etc have entries in the registry, but the virtual accounts don't, so if I don't run the app pool under an existing user on the WS2012 box (NetworkService, for instance) it can't write/read the registry entries and so it can't pull the settings.
Why is this? How do I allow Windows Server 2012 to create registry entries for ApplicationPoolIdentity user accounts?
There were two things I had to do to fix this:
1) In the Advanced Settings of the App Pool, I set the "Load User Profile" setting to True;
2) Browse the Website from IIS.

Resources