Octopus.AzureContext.ps1 fail Authenticating

I trying to get octopus to create azure web targets after deploy the ARM template, with a package, that creates web application.

I have followed the steps in the documentation and blogs. I have step the deploy the ARM template and configure the post deployment script with the New-OctopusAzureWebAppTarget re-using the variables using the main step template.

The process fails, after 5 time, on our main server with the following error:

AzureRM Modules: Authenticating with Service Principal
Error | CloseError: Service returned error. Check InnerException for more details
Error | At O:\Octopus\Work\20200527114151-5095-50\staging\Octopus.AzureContext.ps1:86 char:17
Error |Login-AzureRmAccount -Credential $creds -TenantId $Octopu …

The step is able to deploy ARM template without any issue it only the Post Deploy step that seems to fail.

I have recreated the project on another octopus server, on the same version, and steps and process works to completion for another subscription. Can one give pointer why it would partially work one server and full work for another?

Hi @sj.wright,

Thanks for getting in touch! My first guess would be that there’s some difference in the permissions between the two service principal accounts. Checking the Azure console for any errors would be the best place to look to start troubleshooting this issue.

I hope that helps point things in the right direction! Let me know what you find and if we can assist going forward. :slight_smile:

Best regards,

Kenny

Hi Kenny
The two service principal accounts have the same role assign at the subscription:
Contributor. Also the ARM template runs and completes successfully the step only errors when running the post deployment script, which is newly added.

It fails on line line 86 within AzureContext.ps1:- Login-AzureRmAccount -Credential $creds -TenantId $OctopusAzureADTenantId -SubscriptionId $OctopusAzureSubscriptionId -Environment $AzureEnvironment -ServicePrincipal

I will check the Azure console to see if anything that will help.

Regards
Steve

Hi Kenny
I have try the following command Login-AzureRmAccount with credentials that octopus server should be using on the server where the post deploy script works and the I can login without problems.

I am trying the same on the server where I am having problem to see if work out the problem.

Regards
Steve

Hi Kenny,

I not been able to complete my testing as I have problems to safely import the azurerm PowerShell module.

Regards
Steve

Hi Kenny.
I have been able to test on the Octopus Server where I am having problem the following command: Login-AzureRmAccount, using the same credentials as the Octopus process. I manage to get the command to work after manage to found away to download AzureRM powershell module. I don’t this is a Credential / Permission problem.

One of the issues I found was I couldn’t download the module until I added the following to my script: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Also checking my alters I couldn’t find any active for when the script was running so I don’t think the process manage to connect.

Regards
Steve

Hi Steve,

I appreciate you keeping in touch and detailing the progress you’ve made on this one.

I know other services have recently stopped allowing use of versions of TLS prior to 1.2, and as a result of that we’ve updated our community library step templates (as an example) to force TLS 1.2 exactly like you’ve done in your postdeploy script. Azure might have recently started requiring TLS 1.2 as well.

I hope that helps clear it up, and please don’t hesitate to reach out if you have any further questions or concerns moving forward. :slight_smile:

Best regards,

Kenny

Hi Kenny
Thank you for your link, It lead me to the following link: https://docs.microsoft.com/en-gb/security/engineering/solving-tls1-problem. Where I added the registry, as I can’t update the script, after a restart just to be safe I have been able to get Octopus server to create all our azure targets.

Regards
Steve

Hi Steve,

Sounds great! Thanks for letting me know the status of this one. Please let us know if there’s anything we can try to assist with in the future. :slight_smile:

Best regards,

Kenny

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.