Created a web app in c#.net to access the key vault from azure by using App service but it is working if we run using iis express, but not working if we host on iis.. Why? since app will be hosted on iis only..

asked 2020-04-02T05:41:55.897+00:00
Nikita Pandey 6 Reputation points

Following is the Code snippet:-

using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using SummitSecurity;
using System;
using System.Configuration;
using System.Threading.Tasks;


namespace Azure_WebApp
{
public partial class Azure_Form : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}

protected void Button1_Click(object sender, EventArgs e)
{
string str =ResultOnGetAsync().Result;
Label1.Text = str.ToString();
}
public static string WMIUserPWDKey = string.Empty;

public static string Message { get; set; }
private static async Task<string> ResultOnGetAsync()
{
string ret = string.Empty;

try
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://summitazurekey.vault.azure.net/secrets/AzureKey")
.ConfigureAwait(false);

Message = secret.Value;
WMIUserPWDKey = fnDecrypt(secret.Tags["WMIUserPWDKey"].ToString(), "");
string StrToEncryptAndDecrypt = "TestStringToEncryptAndDecrypt";
string strEncrypted = string.Empty;
strEncrypted = CommonExtensionMethods.QueryStringEncrypt(StrToEncryptAndDecrypt, WMIUserPWDKey);
ret = $"AzureDecryptKey is {WMIUserPWDKey.ToString()}\n" +
"" +
$"{Encrypted()}";

}
catch(Exception ex)
{

Console.WriteLine(ex.ToString());
}
return ret;

}
static string Encrypted()
{
string StrToEncryptAndDecrypt = "TestStringToEncryptAndDecrypt";
string strEncrypted = string.Empty;
strEncrypted = CommonExtensionMethods.QueryStringEncrypt(StrToEncryptAndDecrypt, WMIUserPWDKey);
string strDecrypted = string.Empty;
strDecrypted = CommonExtensionMethods.QueryStringDecrypt(strEncrypted, WMIUserPWDKey);
string EnDecKey = $"Encrypted: " +
$"{strEncrypted.ToString()}\n" + "Decrypted: " +
$"{strDecrypted.ToString()}";
return EnDecKey;
}

// This method implements exponential backoff if there are 429 errors from Azure Key Vault
private static long getWaitTime(int retryCount)
{
long waitTime = ((long)Math.Pow(2, retryCount) * 100L);
return waitTime;
}

// This method fetches a token from Azure Active Directory, which can then be provided to Azure Key Vault to authenticate
public async Task<string> GetAccessTokenAsync()
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://summitazurekey.vault.azure.net");
return accessToken;
}

The error I am getting is :-

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Windows\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. Traceback (most recent call last):
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_session.py", line 48, in load
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\codecs.py", line 897, in open
file = builtins.open(filename, mode, buffering)
PermissionError: [Errno 13] Permission denied: 'C:\Windows\system32\config\systemprofile\.azure\azureProfile.json'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\runpy.py", line 85, in _run_code
exec(code, run_globals)
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli\azure\cli__main__.py", line 33, in <module>
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core__init__.py", line 562, in get_default_cli
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core__init__.py", line 53, in init
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_session.py", line 61, in load
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core_session.py", line 65, in save
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\codecs.py", line 897, in open
file = builtins.open(filename, mode, buffering)
PermissionError: [Errno 13] Permission denied: 'C:\Windows\system32\config\systemprofile\.azure\azureProfile.json'

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Integrated Windows Auth is not supported for managed users. See https://aka.ms/adal-iwa for details.

I want know the solution here .. since app will be hosted on IIS only OR it is only due to some permission issue...

Please help me out as soon as possible.....

Azure Web Apps
Azure Web Apps
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,294 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2020-04-03T18:33:35.88+00:00
    Saurabh Sharma 17,291 Reputation points Microsoft Employee

    I have got a confirmation from Nikita on MSDN thread that the below steps helped resolved her issue -

    • Configure Application pool to run as your user account.
    • Configure setProfileEnvironment to True.
      Go to %windir%\System32\inetsrv\config\applicationHost.config
      Search for "setProfileEnvironment". If it's set to "False", change it to "True". If it's not present, add it as an attribute to the processModel element
      (/configuration/system.applicationHost/applicationPools/applicationPoolDefaults/processModel/@setProfileEnvironment), and set it to "True".

    Also, this issue is duplicate of these two -

    No comments