Azure automation error “Client assertion contains invalid signature” – Time to renew your Automation account certificate

I was just recently playing with some Azure runbooks and noticed that one of my automation accounts, that I had selected to execute some of that automation, wasn’t working properly.

I had a Virtual Machine scheduled to boot at a specific time and that wasn’t happening. So this was what I did to troubleshoot it.

In the Azure Portal, I went to “All Resources”, filtered by “Automation Accounts” and clicked in the Automation Account that was supposed to be running that runbook.

I was able to immediately see that something wasn’t OK, as you can see above the automation account is showing that the certificates for both the “Run as Account” and the “Classic Run As Account”, are expired. Nevertheless, the job statistics is telling me that 4 jobs were ran and all with success. Odd, right? So lets investigate further.

In the Automation Account menu I went to Process Automation > Jobs, to try and understand what jobs were executed. As you can see the 4 jobs are there, but were they executed with success?

I clicked in one of the jobs. The status was “completed” but browsing to the “Errors” tab you could easily see it failed. “Client assertion contains an invalid signature” was the error.

So lets jump to the quick fix. Renew the automation account certificates.

Back to the automation account > overview page, clicked in the link to resolve the issue and renewed both certificates.

And that’s it, problem solved.

Lessons learned: make sure your automation account is functional and don’t always trust the job statistics shown in the portal.

My first experience with the Azure mobile app

Just like the vast majority of my posts, this one is also based in a real life experience.

While on holidays I forgot to prepare an Exchange Server lab for a coworker, to test some scripting. As an Exchange MCM (Microsoft Certified Master) a large percentage of my work is still around Exchange and I do have multiple labs with multiple versions, but they all have one thing in common: they live on Azure and they’re don’t have a 100% uptime, to save on cost.

So I decided to execute the fews steps to prepare the lab, that included not much more than booting up some virtual machines, from the Microsoft Azure mobile app, while enjoying the sun in an amazing beach! 🙂

The first thing that I did was download the app.

Note: I have an iPhone so all my experience is based on the Apple version of the app

My first impression of the app was that it’s basic but for simple tasks (like mine of booting up my lab), it gets the job done.

There are two main sections you should consider, when you open the app.

In the top left you can:

• Add accounts
• Switch between subscriptions
• Edit your account settings

In the top right you can filter per service or resource type.

In the example I’ve filtered just to see my virtual machines.

Continuing with the virtual machine example, you’ll be able to see details like activity log, metrics, resource health, virtual machine power state and all main properties.

You’ll also be able to easily execute the most common actions in virtual machines, that being start/stop, restart and connect, in an handy action ribbon in the bottom of the app (as shown above), when you have the virtual machine selected.

In summary, for most resources you’ll be able to at least check the activity log and the properties, but the actions you can perform are, in general limited. I won’t enumerate them one by one but another example, adding to the ones I gave regarding virtual machine actions, would be to edit access permissions in a storage account.

Nevertheless I do rate this app and highly recommend you use it, as it’s amazing for basic actions and very complete for monitoring purposes.

Kudos to the wordpress app as well, since I decided to write this blog post using the wordpress mobile app, while still seating at the beach! 😉

Allow external RDP to your newly created Azure VM

One of the first things you do, after you create your new Azure virtual machine, is remote desktop into it.

Depending on the type of Azure environment you have, you might want to define the best access policy to the virtual machines, determining for example if you need to be connected to a VPN corporate network or not.

In my example, my Azure subscription is used for testing and therefore I will allow external access to my virtual machine.

It’s also important to understand that, to give remote desktop access to the virtual machine, what you need to configure are Inbound Port Rules in the network security group.

You have three options when it comes to configuring security access policies to a new Virtual Machine.

Option 1: Select the ports you want open, during the virtual machine creation

This is the simplest option, unless you want to keep things organized and manageable by using the same network security group for multiple virtual machines (see option 3).

When creating the virtual machine in the main menu you should see a section called “Select inbound ports”, after selecting the “Allow selected ports” right above that one.

All you have to do is select the ports that you want to open, for example 443, 25 and 3389 for an Exchange Server and the new network security group will be configured automatically.

Option 2: Create a new virtual machine with default settings. Once the VM is created edit the newly created Network Security Group.

This is the option you should follow in case you either forgot or chosen not to follow the option above and you didn’t selected an existing and already configured network security group, during the virtual machine creation.

A newly created network security group, should have the following Inbound Port Rules created as default:

And what you need to do is add an inbound port rule.

You can do it via the azure portal, by either going to the virtual machine and then the networking section under settings and clicking “Add Inbound Port Rule” under the correspondent tab.

You can also go directly to the network security group (under all resources) and then the inbound security rules under settings and clicking “Add”.

 

The above is how the inbound rule should look like. You can click in the “Basic” button in the top left to select from an existing service template. There’s an excellent article on how to open ports to a virtual machine with the Azure portal, that you might also look at for additional details.

Option 3: Create a new Network Security group and select it when creating the new virtual machine.

The other more advanced option is to create a network security group and use it for multiple Virtual Machines when you create them. That way you won’t have unique security groups per virtual machine and you won’t have to keep opening one or multiple services for those virtual machines, each time you create a new one.

I won’t go into details on how to create the network security group. For that just follow the official guidance on the link above.

Once you have your group created and upon creation of the new Virtual Machine, make sure you select it, instead of the default option to create a new one.

When creating the virtual machine, in the “Networking” tab, selected “Advanced” under “NIC network security group” and select an existing security group.

And that’s it. It’s a very simple process and one you need done if you want to start accessing those Virtual Machines or publishing services like HTTPS or SMTP. Hopefully after reading this post you understand the several options you have.

All of the above can of course be done via PowerShell, but to keep this post as simple as possible, I’ve used the portal.

Note: I want to make clear that you should not allow Internet unrestricted access to your virtual machine, unless it’s a test machine where you have no type of sensitive data. Even in those cases you can always easily set the source address or range of addresses for that inbound port rule.

Azure Data Box Disks just went from preview to general availability and became available in more regions

Yesterday, Microsoft announced the general availability for Azure Data Box Disks.

For those who don’t know what this is, Azure Data Box Disks are basically a fast (SSD disk based), reliable and secure solution to do offline data transfer to Azure.

It’s been a while since Microsoft announced the preview program, and that was available only for the EU and US regions. General availability is for EU, US, Australia and Canada. As Microsoft promised, the service is expanding to more Azure data centers worldwide.

When compared to the Azure Import/Export service, using the Azure Data Box Disks is, in theory, a simpler process, since Microsoft will provide the disks and handle all the logistics.

We’ll have to wait and see where Microsoft will drive this service towards, since the expectation of some customers is to see it handle other things, besides just simple data transfer, such as initial seeding for Azure Backups.

Azure Identity training, anyone?

With the New Year starting, I am looking at a training plan for 2019.

I don’t think that training is the only thing that makes you improve your skills, and at least in my opinion you should add to that as much real live consulting experience as you can, as well as make your training as much “hands on” as possible. Don’t just read or watch videos, build a lab and execute everything that you’re learning.

This blog post is to share with you what seems to be an excellent training resource in Azure Identity: Microsoft Azure Identity training in the edx.org platform.

With this training, as they state in their website, you’ll learn the following:

• How to create and manage Azure Active Directory (AD) directories.
• How to implement applications in Azure AD.
• How to extend on-premises AD to Azure.
• How to configure multi-factor authentication.

The prerequisites for this training are:

• General understanding of cloud computing models.
• General understanding of virtualization, networking and Active Directory.
• Basic proficiency in PowerShell and command line interface scripting.

The above basically means that you should have some experience with Azure, virtualization and of course as this training is focused in Microsoft Identity Management, that means you need to clearly understand how Active Directory works. Finally, as in everything Azure related, PowerShell knowledge is a must! 🙂

All training that I did with edx.org has been great. The training is free, but if you choose to get a certificate at the end, you can pay 99USD, knowing you’d be helping the only nonprofit and open source learning platform.

Most of my posts are about real life scenarios, tips and tricks, etc, so I am sure I will be blogging a lot about Azure Identity in the near future.