We deployed the SF application in VMSS but when it's trying to connect geneva account getting below exception. In local machine it works as expected.
As a workaround I have enabled the ACl for NT AUTHORITY\NetworkService account by logging in to one of the role instances then it worked properly.
my question:
- Is all SF applications are expected to run as network service account?
- If yes, how can we set this ACL through ARM template itself while installing the cert in VMSS ( I am using "Microsoft.Azure.KeyVault" extension to install the cert in vmss)
$acl = Get-Acl $privateKeyFilePath $acl.SetAccessRule((New-Object System.Security.Accesscontrol.FileSystemAccessRule("NT AUTHORITY\NetworkService","Read","Allow"))) Set-Acl $privateKeyFilePath $acl -ErrorAction Stop
Error:
Unhandled exception. System.AggregateException: One or more errors occurred. (An error occurred while sending the request.)
---> System.Net.Http.HttpRequestException: An error occurred while sending the request.
---> System.IO.IOException: The read operation failed, see inner exception.
---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
---> System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized at System.Net.SSPIWrapper.AcquireCredentialsHandle(ISSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED* scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED* secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandleSchannelCred(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) --- End of inner exception stack trace --- at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(SslStreamCertificateContext certificateContext, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(ReadOnlySpan1 inputBuffer, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(ReadOnlySpan
1 incomingBuffer) at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize) at System.Net.Security.SslStream.ReceiveBlobAsyncTIOAdapter at System.Net.Security.SslStream.ForceAuthenticationAsyncTIOAdapter at System.Net.Security.SslStream.ReplyOnReAuthenticationAsyncTIOAdapter at System.Net.Security.SslStream.ReadAsyncInternalTIOAdapter