Share via

Admin Center Extension for ARC reproducibly fails to install

Stefan Geisler 35 Reputation points Microsoft Employee
2026-02-24T14:22:42.3633333+00:00

"Microsoft.AdminCenter.AdminCenter" Extension failed to install - Error "Extension Message: Executing Enable operation, CheckingCompatibility: Checking if system is compatible with Windows Admin Center, CheckingWACInstallationStarted: Checking if Windows Admin Center installation has started, SearchingForWindowsAdminCenter: Searching for Windows Admin Center application, SettingDnsRecords: Creating/updating DNS records, GetDataFromMetadataService: Getting data from Azure metadata service, GetInstanceMetadataForArc: Retrieving the virtual machine instance metadata information, GettingWacPort: Getting Windows Admin Centers configured port, GettingCSPFrameAncestors: Getting Windows Admin Center configured CSP frame ancestors, UpdatingWindowsAdminCenterConfiguration: Updating Windows Admin Center Configuration, StoppingWindowsAdminCenterService: Stopping Windows Admin Center service, UpdatingInstallationTypeSettings: Updating Installation type for Windows Admin Center, UpdatingCSPSettings: Updating CSP Frame Ancestors for Windows Admin Center, UpdatingCORSSettings: Updating CORS origins for Windows Admin Center, UpdatingPort: Updating port for Windows Admin Center, UpdatingWebSocketValidationOverride: Updating WebSocket validation override settings, UpdatingTokenAuthenticationEnabled: Updating token authentication setting, UpdatingAutoUpdate: Updating auto update setting, SettingProxy: Updating proxy for Windows Admin Center, GettingWacPort: Getting Windows Admin Centers configured port, UpdatingWindowsAdminCenterConfiguration: Updating Windows Admin Center Configuration, GetDataFromMetadataService: Getting data from Azure metadata service, GetInstanceMetadataForArc: Retrieving the virtual machine instance metadata information, TestWACAppServiceReachability: Testing reachability of Application Web Service of Windows Admin Center, GetAccessTokenForArc: Getting access token from Azure Arc's identity endpoint, GetDataFromMetadataService: Getting data from Azure metadata service, GetInstanceMetadataForArc: Retrieving the virtual machine instance metadata information, RetrieveCertificate: Failed to retrieve certificate from key vault using app service"

I tried several time over a longer period of time (days), then I unregistered and deleted the server from ARC and onborded the server again - same behaviour, same error

/subscriptions/<PII Removed>/resourceGroups/RG-ARC/providers/Microsoft.HybridCompute/machines/WS2025SQL2022/extensions/AdminCenter

Azure Arc
Azure Arc

A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

Answer accepted by question author
  1. Bharath Y P 5,745 Reputation points Microsoft External Staff Moderator
    2026-02-24T15:30:00.95+00:00

    Hello Stefan Geisler, we understand that you're experiencing a failure when trying to install the "Microsoft.AdminCenter.AdminCenter" extension on your server. The error includes issues with DNS records, metadata retrieval from Azure, certificate access from Key Vault, and connectivity to required services for the extension setup. Despite multiple attempts, including re-registering and re-onboarding the server from Azure Arc, the same error persists.

    This issue might occur because the Azure Arc treats the machine’s managed identity like any other principal. Even though it’s “itself,” the identity does not automatically inherit permissions to read its own metadata or Key Vault entries. RBAC in Azure is explicit you must grant the identity the necessary roles. Without them, certificate retrieval and metadata queries fail.

    The server uses its System-Assigned Managed Identity to ask Azure for a certificate. If the identity doesn't have the "Reader" role on the Arc Machine resource, the request is rejected.

    Verify Managed Identity Permissions: The most common issue is missing RBAC roles.

    1. Go to the Azure Portal > Arc-enabled servers > Select your machine
    2. Select Access Control (IAM) > Add role assignment.
    3. Assign the Reader role to the Managed Identity of this specific Arc machine.
    4. Additionally, ensure your own user account has the Windows Admin Center Administrator Login role.

    Manage Azure Arc-enabled Servers using Windows Admin Center in Azure | Microsoft Learn

    Note: Even though it’s "itself," the identity needs explicit permission to read its own metadata.

     

    Validate Network & Proxy: The extension must reach the Identity Endpoint locally and the WAC Service globally.

    • Local Endpoint: The extension calls http://localhost:40342 (the local Arc identity service). Ensure no local firewall or "Loopback" restriction is blocking this.
    • Global Endpoints: Ensure your firewall/proxy allows: *.wac.azure.com, pas.windows.net , *.servicebus.windows.net
    • SSL Inspection: Crucial.Microsoft docs state that if your proxy performs SSL/TLS inspection (intercepting and re-signing certificates), the WAC extension will fail because it uses certificate pinning for security. You must bypass inspection for the URLs above.

    Hope this helps. and please feel free to reach out if you have any further questions. Thanks

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stefan Geisler 35 Reputation points Microsoft Employee
    2026-02-26T08:46:13.0833333+00:00

    Yes - after adding the reader role to the managed identity did the trick! Admin center extension installed successfully! Problem solved! Thx for reaching out!

    1 person found this answer helpful.
  2. Stefan Geisler 35 Reputation points Microsoft Employee
    2026-02-26T08:52:55.91+00:00

    Ups - think I was a bit too optimistic - I checked the wrong machine.

    Give me some more time to verify

     

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.