Category

Azure

Azure, Identity Provider

Running KeyCloak on Azure App Service and Azure SQL using managed identities

I’ve recently been seeing a lot of developers diving into the world of authentication and asking for recommendations on what to use as an Identity Provider (IdP). There’s plenty of IdP out there. If you’ve been following me, I’ve done some posts on Identity Server (before it was Duende). I’m a big fan of Microsoft Entra (for the workforce) and Entra External ID (successor of Azure AD B2C), for external identities not related to your organization, for it’s simplicity and for it’s SaaS abilities, as IdPs are, in my eyes, mission critical parts of your ecosystem: if it goes down, your whole system is down. Any SaaS IdP allows me to focus on my application and not managing an IdP…

Read more
Azure, Debugging, Web, WebApi

Debugging a managed identity connection to Azure SQL in Azure App Service using containers

So you’ve been eager to deploy your containerized web application that you’ve been working on for a while, to Azure App Service. You follow the best security practices which means you’ve setup your connection to your Azure SQL database using a managed identity. Upon loading your application, you get a dreadful exception that you can’t connect to the database. You then wonder, is this a database permission problem or some another problem, such as the application cannot connect to the database using its managed identity. This problem is even tougher to diagnose in applications such as Custom Off the Shelf (COTS) that you don’t have the source code. Rest assured, this happen to the best of us (yes, even me!)….

Read more
Azure, Development, Web, WebApi

Load testing your applications using Azure Load Testing, JMeter and GitHub Actions

I’ve been working with more customers that are starting to take testing (unit, integration, end to end and load testing) more seriously. You may ask, “Dom, really? I thought testing was trivial”. Unfortunately not. As we’re entering an era where businesses are producing software like never before, relatively speaking, these businesses are not software companies. They are seeking to prioritize the speedy creation of business value while disregarding the importance of testing. Development teams, most often than not, are under pressure when the applications they develop do not perform the way they intended it to work, after being released. Testing is not engrained within their DNA. If it would have been, the extra stress and anxiety associated with debugging the…

Read more
Azure, AzureFunctions, C#

Deploying EOL .NET Core to Azure App Services

As you all know, .NET Core 3.1 is now out of support since December 13 2022. If you follow me on my social media, I reminded my followers about this a little over a month ago. Unfortunately, some of the customers my colleagues and I deal with, have yet to migrate, and were caught by surprise at the last minute. I am and have been advising my customers to plan some time to migrate to .NET 6 (which is LTS), however, the time and priorities issue always come back. Fortunately, there are 2 solutions that you can put in place today to be able to continue deploying EOL .NET core versions. Solution 1: Deploying the application using the self-contained method…

Read more
Azure

Removing user consent from an Azure AD application

I’ve been working with my team on refactoring the authentication process that has been put in place in the application I am working on. One of the requirements was that we wanted to test out what happens when the user sees the user consentement (that is that the user consents the application to access data on its behalf), but also, when we do not see the user consentement. To my demise, finding out what has been granted and what has not, is not user friendly in the Azure portal. For my own sake, and perhaps yours, I will try to demystify the where and the how. Finding out the grants To find out what API permissions have been accepted or…

Read more
Azure, C#, DevOps, Docker

Integration tests using Azure Storage emulator and .NET Core in Azure DevOps

I had a friend contact me about a situation that he was trying to do and I was about to have the same situation myself so I decided to tackle it. That situation is that we both need to test our code, but our code is dependent on Azure Storage. As you know, you can emulate Azure Storage on Windows using the (now deprecated) Azure Storage Emulator, or using Azurite. Since my code is built and tested on linux, I decided on using Azurite. Azurite v3 runs in a container. Azurite v2 runs using node.js but the container is not officially available. You need to build the image yourself. Azurite v2 is necessary if you need to have access to…

Read more
Azure, Server administration

Automating your mundane Azure Virtual Machine Windows provisioning tasks with PowerShell DSC

I’ve been working in various projects and helping different people with their tasks when it comes to provisioning their Azure Windows Servers or Windows 10 virtual machines. One thing that I realized, is how much time is spent post provisioning for repetitive tasks that could be done through automation. I can say that I am proud of the fact that, after discussing with me, they all start embracing Infrastructure As Code (IaC) through ARM. Well most of them that is hahaha! Side note, if you are doing ARM, checkout Bicep; this will save you so much time in writing your ARM templates and there’s great linting and code completion when used in Visual Studio Code with the extension! But what…

Read more
Azure, C#, Microsoft365

Connecting to SharePoint Online using an Azure AD Service Principle (Application) and CSOM

Microsoft is giving us a push to use Microsoft Graph as an alternative to using SharePoint CSOM. Unfortunately, not everything is available in Microsoft Graph. When you are automating, you want to use a service account that has no user identity (delegation) in it and can be autonomous. However, the only way right now to get an application token that can be used to consume the SharePoint Online CSOM, is to authenticate your application using an authentication certificate. This post continues on the SPOAuthentication code, as discussed in my other post. We will make use of the KeyVault to store the authentication certificate and then add it to the application as a key credential used for authentication. KeyVault and Application…

Read more
Azure, C#, Microsoft365

Connecting to SharePoint Online CSOM using a non-interactive, headless application, through user delegation

It may happen to you that you need to run a process which has no user interaction for automation purposes. This may be a console application or an Azure Function that has a timer trigger. How is it possible to call the CSOM (client side object model) API of SharePoint online in such fashion? Usually people authenticate in other ways. Today, I want to show you how this can be done, using a .NET Core console application. Preface Before getting cracking with the code, I want to brush on the the On-Behalf-Flow, as it is important to understand it to understand why the code does certain things. The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application…

Read more
Azure, C#

Migrating to the new C# Azure KeyVault SDK Libraries

You may be familiar with the Microsoft.Azure.KeyVault SDK. This SDK is being retired in favor of 3 new SDKs: Azure.Security.KeyVault.Keys Azure.Security.KeyVault.Secrets Azure.Security.KeyVault.Certificates As you can see, the Microsoft Azure SDK team split the KeyVault functionality in 3 distinct SDKs. All those SDKs are unified with the Azure.Identity SDK to manage authentication. Let’s deep dive a little bit into those SDKs. I wanted to brush up on those, as usually what people do, when they have the KeyVault setup in their application, they tend to forget about it. If you want to migrate to the new SDKs (or you’re looking to consume the KeyVault through code), this post can be of interest to you. Azure.Identity SDK The Azure Identity library is…

Read more
Azure

Controlling the hostname with a WebApp when fronted by Application Gateway

I wanted to demystify the hostname that is used within an ASP.NET core application when the application is hosted in a WebApp and fronted by an Application Gateway. I have been getting a few questions about it and I believe it can help. It happens to many that when they configure such setup, and have redirects triggered within the application, they get presented with the application.azurewebsites.net hostname instead of the hostname by which they actually accessed the application. They then ask themselves: what happened? I accessed my application through application.mydomain.com. How come I am presented with the azurewebsites.net hostname? Let’s dissect 2 ways by which this can be mitigated and have, when the application triggers redirects within itself, the proper hostname that…

Read more
Azure

Automating Azure Site Recovery VMs with ARM and some magic

Actually, I got you there’s no magic, well, slightly. We will be using some intuitive way to wrap the whole thing. Now that I got your attention, let’s talk about Azure Site Recovery, or for short ASR. As you are building your solution, you will want to automate the recovery process of your Virtual Machines so you have some piece of mind when it comes to your Disaster Recovery process. In this post, I will talk about specifically about Azure Site Recovery for Azure to Azure recovery. Quick intro Azure Site Recovery is a product in the Azure family to help ensure one can attain his business continuity and disaster recovery (BCDR) strategy. Site Recovery works by replicating your disks…

Read more
Azure

Path based routing in Azure Application Gateway with Azure WebApps

So it may occur to you that you may want to do path based routing so that you can reach multiple applications under 1 hostname. To represent this, I’ve drawn an example of what we are trying to accomplish In this post, I’ll show you how I can use the hostname dev.domstamand.com to respond to different backends when hit on 3 paths: /identity : redirects to the identity web app /authorization : redirects to the authorization web app / : redirects all other requests to the default web app As a side note, I’m using the v2 of the Application Gateway. Setup To understand better how all the components are layed out, I made a diagram. For the sake of…

Read more
Azure

Azure AD Linux Login Extension – sudo fails with PAM account management error: System error

As you all know, I’ve been playing around with the Azure Active Directory login extensions for both Linux and Windows. I came across a problem where the first sudo worked (after re-authenticating) and the second, with the same command, failed with sudo: PAM account management error: System error Trying to debug this was tricky. Along with a support engineer we were able to enable enough log to get to the bottom of the problem. First, edit /etc/pam.d/system-auth-aad and add the debug keyword whenever you see pam_aad.so. Adding “debug” will switch to verbose logging. For example:

Once that is done, execute in one terminal the following command tail -f /var/log/secure. Execute the sudo that you know will fail (that is the…

Read more