The credentials supplied to the package were not recognized

FNU Vishal (WIPRO LIMITED) 1 Reputation point Microsoft Vendor
2022-09-28T19:04:53.677+00:00

We deployed the SF application in VMSS but when it's trying to connect geneva account getting below exception. In local machine it works as expected.

As a workaround I have enabled the ACl for NT AUTHORITY\NetworkService account by logging in to one of the role instances then it worked properly.

my question:

  1. Is all SF applications are expected to run as network service account?
  2. If yes, how can we set this ACL through ARM template itself while installing the cert in VMSS ( I am using "Microsoft.Azure.KeyVault" extension to install the cert in vmss)

$acl = Get-Acl $privateKeyFilePath $acl.SetAccessRule((New-Object System.Security.Accesscontrol.FileSystemAccessRule("NT AUTHORITY\NetworkService","Read","Allow"))) Set-Acl $privateKeyFilePath $acl -ErrorAction Stop

Error:

Unhandled exception. System.AggregateException: One or more errors occurred. (An error occurred while sending the request.)
---> System.Net.Http.HttpRequestException: An error occurred while sending the request.
---> System.IO.IOException: The read operation failed, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) --- End of inner exception stack trace --- at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan1 inputBuffer, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan1 incomingBuffer) at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize) at System.Net.Security.SslStream.ReceiveBlobAsyncTIOAdapter at System.Net.Security.SslStream.ForceAuthenticationAsyncTIOAdapter at System.Net.Security.SslStream.ReplyOnReAuthenticationAsyncTIOAdapter at System.Net.Security.SslStream.ReadAsyncInternalTIOAdapter

Azure Service Fabric
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
252 questions
Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
355 questions
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 25,041 Reputation points
    2022-10-10T07:25:06.05+00:00

    @FNU Vishal (WIPRO LIMITED)

    Apologies in delayed response on this.

    my question:

    1. Is all SF applications are expected to run as network service account?

    Yes, it's the optimal from the security perspective account to run the service (enough permissions but not too much)

    1. If yes, how can we set this ACL through ARM template itself while installing the cert in VMSS ( I am using "Microsoft.Azure.KeyVault" extension to install the cert in vmss)
      Has the certificate registered in the application manifest? SF will ACL it then.

    Hope that helps.
    If you need further help on this, tag me in a comment.
    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments No comments