locked
Azure Stack TP2- AAD Setup Failure RRS feed

  • Question

  • <Step EndTimeUtc="2017-01-28T15:56:35.2305641Z" Status="Error" StartTimeUtc="2017-01-28T15:56:08.2618103Z" Name="(Katal) Azure Stack AAD Configuration." Description="Configures Azure Stack with Azure AD." Index="124">
    <Task EndTimeUtc="2017-01-28T15:56:35.2305641Z" Status="Error" StartTimeUtc="2017-01-28T15:56:08.2618103Z" RolePath="Cloud\Fabric\AAD" InterfaceType="Configure">
    <Exception>
    <Message>Function 'ConfigureAAD' in module 'Roles\AAD\AAD.psd1' raised an exception: The remote server returned an error: (401) Unauthorized. at <ScriptBlock>, <No file>: line 321</Message>
    <StackTrace> at CloudEngine.Actions.PowerShellHost.Invoke(InterfaceParameters parameters, Object legacyConfigurationObject, CancellationToken token) at CloudEngine.Actions.InterfaceTask.Invoke(Configuration roleConfiguration, Object legacyConfigurationObject, MultiLevelIndexRange indexRange, CancellationToken token, Dictionary`2 runtimeParameter)</StackTrace>
    <Raw>CloudEngine.Actions.InterfaceInvocationFailedException: Function 'ConfigureAAD' in module 'Roles\AAD\AAD.psd1' raised an exception: The remote server returned an error: (401) Unauthorized. at <ScriptBlock>, <No file>: line 321 at CloudEngine.Actions.PowerShellHost.Invoke(InterfaceParameters parameters, Object legacyConfigurationObject, CancellationToken token) at CloudEngine.Actions.InterfaceTask.Invoke(Configuration roleConfiguration, Object legacyConfigurationObject, MultiLevelIndexRange indexRange, CancellationToken token, Dictionary`2 runtimeParameter)</Raw>
    </Exception>
    </Task>

    =============================================================

    I have already used the -enviromentDNS parameter doesnt hep 

    ===============================================================

    017-01-28 07:56:35 Error    1> 2> Task: Invocation of interface 'Configure' of role 'Cloud\Fabric\AAD' failed: 

    Function 'ConfigureAAD' in module 'Roles\AAD\AAD.psd1' raised an exception:

    The remote server returned an error: (401) Unauthorized.
    at <ScriptBlock>, <No file>: line 321
    2017-01-28 07:56:35 Verbose  1> 2> Step: Status of step '(Katal) Azure Stack AAD Configuration.' is 'Error'.
    2017-01-28 07:56:35 Error    1> 2> Action: Invocation of step 60.120.124 failed. Stopping invocation of action plan.
    2017-01-28 07:56:35 Verbose  1> 2> Action: Status of 'Deployment-Phase4-ConfigureWAS' is 'Error'.
    2017-01-28 07:56:35 Verbose  1> 2> Task: Status of action 'Deployment-Phase4-ConfigureWAS' of role 'Cloud' is 'Error'.

    Saturday, January 28, 2017 6:18 PM

Answers

All replies

  • Hi,

    Three things, make sure the user you specified in the "-AADAdminCredential" parameter is an AzureAD user (not a microsoft account), has the 'Global Admin' role and belongs to the same Azure AD tenant you specified for the "-AADDirectoryTenantName" parameter. 



    Cheers,

    Ruud
    Twitter:    Blog: AzureStack.Blog  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Sunday, January 29, 2017 8:58 AM
  • Thanks for the response However AzureAD user is xxxx.onmicrosft.com  prior to the install i have verified that the user can login to the Azure portal and has the 'Global Admin' role and belongs to the same Azure AD tenant you specified for the "-AADDirectoryTenantName" parameter. 

    Any other thing I could try here?

    Or something i might have almost followed all step in forum however nothing seems to help at this point 

    Monday, January 30, 2017 5:05 AM
  • Again the same try Again the same error 

    Invoke-EceAction : 1> Action: Invocation of step 60.120 failed. Stopping invocation of action
    plan. - 1/29/2017 10:57:54 PM
    At line:6 char:2
    +  Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 0.16  ...
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Invoke-EceAction], Exception
        + FullyQualifiedErrorId : Unspecified error,CloudEngine.Cmdlets.InvokeCmdlet

    VERBOSE: 1> Action: Status of 'Deployment-Phase2-ConfigureStack' is 'Error'. - 1/29/2017 10:57:54
    PM
    COMPLETE: Task Cloud - Deployment-Phase2-ConfigureStack
    VERBOSE: 1> Task: Status of action 'Deployment-Phase2-ConfigureStack' of role 'Cloud' is 'Error'.
    - 1/29/2017 10:57:54 PM
    VERBOSE: Step: Status of step 'Phase 2 - ConfigureVMs' is 'Error'. - 1/29/2017 10:57:54 PM
    Invoke-EceAction : Action: Invocation of step 60 failed. Stopping invocation of action plan. -
    1/29/2017 10:57:54 PM
    At line:6 char:2
    +  Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 0.16  ...
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Invoke-EceAction], Exception
        + FullyQualifiedErrorId : Unspecified error,CloudEngine.Cmdlets.InvokeCmdlet

    Can anyone help?

    Monday, January 30, 2017 9:15 AM
  • Please run the following tests on your host and report back any error and the output at the end. Change the first two variables to your AzureAD user and password.

    ## Change this two variables
    $AadUser = "admin@company.onmicrosoft.com"
    $Password = 'password'
    
    $NETVMS = @("MAS-BGPNAT01","MAS-DC01","MAS-WAS01")
    $AadTenantid = ($AadUser -split '@')[1]
    $Credential = New-Object System.Management.Automation.PSCredential(($AadUser) , `
    (ConvertTo-SecureString -String $Password  -AsPlainText -Force))
    
    ### Runs Network Tests to login.windows.net on 443 from "MAS-DC01","MAS-WAS01,MAS-BGPNAT01"
    $ConTests = $NETVMS | % {
        Invoke-command -ComputerName $_ -ScriptBlock {
            write-output '--------------------------------------------------------------------------------'
            write-output "`n`n`t`t`t$env:computername (Timezone,DNS config,DNS lookup,Webrequest)`n" 
            (Get-TimeZone).displayname
            Get-NetIPConfiguration | ft IPv4Address,@{n='dns';e={$_.dnsserver.serveraddresses}}
            Resolve-DnsName -Name bing.com -Server 192.168.200.6 | select -First 1 | ft name,ipaddress,type,name
            Invoke-WebRequest https://login.windows.net/common/.well-known/openid-configuration -UseBasicParsing | ft statuscode,content
        }
    
    }
    
    ### Opens a Session on MAS-WAS01 and Authenticate to login.windows.net and get an Azure Stack Token. 
    $TokenTest = invoke-command -Computername MAS-WAS01 -ArgumentList $AadTenantid ,$Credential -ScriptBlock {
    
        ### Downloads and Imports the AzureRM module 1.2.6 installed #######
        Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
        $AzureModule = "c:\Program Files\WindowsPowerShell\Modules\AzureRM\1.2.6\AzureRM.psd1"
        if (Test-Path $AzureModule){
            Import-Module $AzureModule -Global -WarningAction SilentlyContinue
              } else { 
                    Install-Module -Name AzureRM -RequiredVersion 1.2.6 -AllowClobber 
                    }
        Import-Module -Name "AzureRM" -Erroraction SilentlyContinue -WarningAction SilentlyContinue
        write-output '--------------------------------------------------------------------------------'
        write-output "`t`t`t$env:computername (Get-AzureStackToken)`n"
        $AadTenantid ,$Credential = $args[0],$args[1]
        $AuthorityEndpoint = "https://login.windows.net"
        $armEndpoint = "https://api.azurestack.local”
        $response = Invoke-RestMethod "${armEndpoint}/metadata/endpoints?api-version=1.0"
        $armResourceId = $response.authentication.audiences[0]
        $token = Get-AzureStackToken -Authority $AuthorityEndpoint -AadTenantId $AadTenantid  -Resource $armResourceId -Credential $Credential -Verbose 
        if (!$token){write-warning 'Couldnt retrieve token'}else{$token}
    }
    
    
    ### Tests time sync between MAS-WAS01, MAS-BGPNAT01 and MAS-DC01
    $TimeTest =write-output "`n`n`t`t`t$env:computername (Net Time Test)`n`n";$TimeTest += (net time \\MAS-DC01)[0]; $TimeTest+="`n" + (net time \\MAS-WAS01)[0];$TimeTest+= "`n" + (net time \\MAS-BGPNAT01)[0]
    
    ### Retrieves and test DNS forwarders on MAS-DC01
    $DNSTest=@();$DNSTest += write-output "`n`t`t`t$env:computername (DNS forwarder test)`n"
    $DNSforwarder = Get-DnsServerForwarder -ComputerName 192.168.200.6
    if ($DNSforwarder.ipaddress){
    $DNSTest += ($DNSforwarder.ipaddress | where IsIPv6SiteLocal -eq $false).ipaddresstostring | % {write-output "`n`t`t`t$_" ;(Resolve-DnsName bing.com -Server $_ |  select -First 1 | ft name,ipaddress,type,name) }
    } else { write-output "No DNS forwarders found." }
    
    
    $DNSTest;$TimeTest;$ConTests;$TokenTest

    Monday, January 30, 2017 11:08 AM
  • I managed to the ADFS 401 error with 

    http://sqltechmike.azurewebsites.net/azure-stack-tp2-install-error-function-configureaad-in-module-rolesaadaad-psd1-raised-an-exception-the-remote-server-returned-an-error-401-unauthorized/

    Now the error is 

    VERBOSE: 1> 3> ConfigureAdfs : ADFS Service Account: AzureStack\MAS-AdfsSA$ - 1/30/2017 5:57:03 AM
    VERBOSE: 1> 3> ConfigureAdfs : SqlServer: MAS-WAP-HA\MASSqlWAP - 1/30/2017 5:57:03 AM
    Invoke-EceAction : 1> 2> Task: Invocation of interface 'Configure' of role 'Cloud\Fabric\WAS'
    failed:
    Function 'ConfigureWAS' in module 'Roles\WAS\WAS.psd1' raised an exception:
    Time out has expired and the operation has not been completed.
    at Stop-WebServices, D:\WAP\Setup\Scripts\Configure-AzureStackMasd.ps1: line 699
    at Restart-WebServices, D:\WAP\Setup\Scripts\Configure-AzureStackMasd.ps1: line 712
    at Invoke-Main, D:\WAP\Setup\Scripts\Configure-AzureStackMasd.ps1: line 649
    at <ScriptBlock>, D:\WAP\Setup\Scripts\Configure-AzureStackMasd.ps1: line 738
    at <ScriptBlock>, <No file>: line 21 - 1/30/2017 5:58:10 AM
    At line:1 char:1
    + Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 60.120 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Invoke-EceAction], Exception
        + FullyQualifiedErrorId : System.ServiceProcess.TimeoutException,Microsoft.PowerShell.Command
       s.StopServiceCommand,CloudEngine.Cmdlets.InvokeCmdlet

    VERBOSE: 1> 2> Step: Status of step '(Katal) Configure WAS VMs' is 'Error'. - 1/30/2017 5:58:10 AM
    Invoke-EceAction : 1> 2> Action: Invocation of step 60.120.123 failed. Stopping invocation of
    action plan. - 1/30/2017 5:58:10 AM
    At line:1 char:1
    + Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 60.120 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Invoke-EceAction], Exception
        + FullyQualifiedErrorId : Unspecified error,CloudEngine.Cmdlets.InvokeCmdlet

    Monday, January 30, 2017 3:03 PM
  • Restart the MAS-WAS01 and rerun. Also try to start from a previous step with. 

    Import-Module C:\CloudDeployment\CloudDeployment.psd1 -Force
    Import-Module C:\CloudDeployment\ECEngine\EnterpriseCloudEngine.psd1 -Force 

    Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 60.120.120 -Verbose

    # or

    Invoke-EceAction -RolePath Cloud -ActionType Deployment -Start 60 -Verbose


    Otherwise reboot the host and wait patiently for all the roles to come up and rerun again.
    This is not a known problem so lets hope it can be resolved quickly with these steps. 


    Cheers,

    Ruud
    Twitter:    Blog: AzureStack.Blog  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.



    Monday, January 30, 2017 6:29 PM
  • Hello,

    Please make sure are using the November refresh version of TP2 and run the following from the PowerShell session where you noticed the failure:

    cd C:\CloudDeployment\Configuration

    .\InstallAzureStackPOC.ps1 -rerun

    https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-troubleshooting

    If the deployment continues to fail, Please email us at ascustfeedback@microsoft.com and we will set up a workspace where you can upload the logs.

    Thanks,


    Gary Gallanes

    Monday, January 30, 2017 7:53 PM
  • Azure Stack TP3 has been released on March 1, 2017.

    If you are experiencing any issues with the TP2 release, please download and redeploy using the latest Azure Stack POC deployment package

    Please see the updated deployment documentation:

    https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-run-powershell-script

    And updated Azure Stack Docs:

    https://docs.microsoft.com/en-us/azure/azure-stack/

    If you experience any issues with TP3 release, feel free to contact us.

    https://azure.microsoft.com/en-us/blog/hybrid-application-innovation-with-azure-and-azure-stack/

    Wednesday, March 1, 2017 6:37 PM