Updates in Azure Web App

what version of PSU are you running? I know there were issues witth auth on 2.5.0, (possibly 2.5.1 as well, but not sure). I had the same thing and after upgrading to 2.6.0 its been fine.

It was 2.5.1, but I’m guessing that it’s 2.6.0 now since I redeployed from GitHub trying to fix this issue. Is there an easy way to check the version if the app isn’t running?

You could have a look in the universal.psd1 manifest file it will be in there.

1 Like

We just released 2.5.4 that will ignore invalid authentication.ps1 files that were generated by 2.5.1. It’ll fall back to forms auth so you can resolve the issue directly in the admin console.

2 Likes

Really appreciate all your help, guys. As I said, I’m really excited about this product. Just gotta get over these initial hurdles. I feel like I’m helping improve the Azure hosting story at least! :slight_smile:

Am redeploying from GitHub now so that’ll install the latest version. Will keep this thread updated.

And we’re back! As you predicted, @adam, it fell back to Forms auth and let me sign in as admin.

I think tried adding OIDC as an authentication type, and this time it didn’t immediately crash! :slight_smile: Instead, I have an extra row in the list for OIDC, and it is disabled, waiting for me to enter the settings.

That’s awesome! I can really dig in now.

Is the best practice to get OIDC set up with Azure AD and then disable forms auth? Or is there something I can do to the forms auth so that I have a “break glass” account with a secure password?

Cheers and thanks again,
Matt

OK just documenting where we ended up:

I have group membership determining your role via claims, so only people who are a member of a specific AAD group are admins and everyone else is a reader.

We changed the forms auth to only allow a login with a user we created (not admin) and a specific password, so that’s our “break glass” account.

The documentation for PSU is really good, and I’ve been happy to be a part of expanding it in this Azure hosting area. Still finding a few little niggles but I am raising those in separate threads.

1 Like

Hey @adam
Just tried running through your azure doc, I’m also new to web apps so excuse me if I’m doing something stupid or missing something obvious!

  1. I manually created a web app based on the snip you have here:
    https://docs.powershelluniversal.com/config/hosting/azure
    I used the same settings, although selected Windows OS, obviously my own resource group and name.
  2. I deployed/published the 2.5.5 version of PSU as per the commands listed, it was successful and I got the web app response back, I can also see all the files landed over FTPS

Attempting to navigate to the web app URL just throws “HTTP Error 502.5 - ANCM Out-Of-Process Startup Failure”
I figure maybe i need to restart the webapp first but even after, I still get the same 502 error.
Looking in the /site/wwwroot/logs/ folder, I can see a bunch of files that have been created but they’re all 0kb and empty.

Any ideas?

@mabster just wondering if you have done anything extra to get your web app up and running?
Also, what version did you end up pushing?

That error does ring a bell, but we tweaked so many knobs to get it going, I’m struggling to remember. Do you definitely have the app set as x46 and .NET 5?

You were right, tried again this morning… I was just being a gooseberry. Forgot to go into the ‘general’ tab after having created my web app, and switch it from 32 to 64bit (I’d assumed it was 64 by default). Also had to enable web sockets.

1 Like

Battling trying to get OICD auth going here,
I managed to get PSU running by pushing a clean deployment and adding all the env variables mentioned in adams article ( Data__ConnectionString, Data__RepositoryPath < set these to d:\home\data… as described, Jwt__SigningKey and Api__Url)
I can get PSU running if I just make the env variable additions noted in adams doc and push a clean deployment.
But the moment I try to enable OICD auth (in the appsettings.json - wwwroot), or play about with settings, even if i revert them, it bombs out on me and i cant seem to fix it without destroying the resource and starting fresh. only thing I’ve gleaned from the logs is the windows authentication errors we’ve seen before in earlier versions. (I’ve tried pushing 2.5.5 -latest stable and 2.6.0 - latest nightly)
@mabster did you just mimic OIDC settings from your existing on prem PSU? did you configure everything in appsettings.json or did you use the PSU gui to add it? Also, did you need to use the ‘add identity provider’ under authentications in your web app or just let PSU handle everything?

Okay, ignore my last comment, dont think it’s anything to do with me enabling OICD auth, I’ve just been playing around and I get errors regardless.
Basically, after creating the web app and deploying - PSU is browsable and works. As soon as I stop/start the web app, its dead (with or without any env variables and additional settings).

Here’s how I’m deploying:

$LatestVersion = Invoke-RestMethod https://imsreleases.blob.core.windows.net/universal/production/version.txt
Invoke-WebRequest "https://imsreleases.blob.core.windows.net/universal/production/$LatestVersion/Universal.win7-x64.$LatestVersion.zip" -OutFile "C:\AzureApp\Universal_$LatestVersion.zip"

$resourcegroup = "<ResourceGroupName>"
$AppName = "<AppName>"
$EnvVars = @{
    Api__Url = "https://<AppName>.azurewebsites.net"
    Data__ConnectionString = "D:\home\data\PowershellUniversal\database.db"
    Data__RepositoryPath = "D:\home\data\PowershellUniversal\Repository"
    Jwt__SigningKey = 'xXyt9UpJKB4Pb*4$hprd!JJoyOcK4ZOV**O7Hug9&@gYHc$'
    APPINSIGHTS_INSTRUMENTATIONKEY = "<AppInsightsInstrumentKey"
    APPLICATIONINSIGHTS_CONNECTION_STRING = "InstrumentationKey=<InstrumentationKey>;IngestionEndpoint=https://<location>.in.applicationinsights.azure.com/"
    ApplicationInsightsAgent_EXTENSION_VERSION = "~2"
    XDT_MicrosoftApplicationInsights_Mode = "default"
}
$location = "<location>"
$AppServicePlan = "<ServicePlanName>"
$webApp = New-AzWebApp -Name $AppName -ResourceGroupName $resourcegroup -Location $location -AppServicePlan $AppServicePlan


$resourceNameString = "$AppName/Microsoft.ApplicationInsights.AzureWebSites"
New-AzResource -ResourceType "Microsoft.Web/sites/siteextensions" -ResourceGroupName $resourcegroup -Name $resourceNameString -Force -ErrorAction Stop
Set-AzWebApp -Name $AppName -ResourceGroupName $resourcegroup -NetFrameworkVersion "v5.0" -WebSocketsEnabled $true -Use32BitWorkerProcess $false -AlwaysOn $true -HttpsOnly $true -AssignIdentity $true -FtpsState "FtpsOnly" -AppSettings $EnvVars
Publish-AzWebApp -ArchivePath "C:\AzureApp\Universal_$LatestVersion.zip" -Name $AppName -ResourceGroupName $resourcegroup -force

Directly after I’ve run the above code and deployed, if I navigate to the url PSU loads, I can login etc aok.
After a reboot the web app, if I browse again, I’m getting “Internal Server Error - An error occurred while starting the application.”
And here’s the log file errors :

[20:17:52 INF] Azure Web Sites environment detected. Using 'C:\home\ASP.NET\DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2021-11-29 08:17:52 [INFO]  (Hangfire.BackgroundJobServer) Starting Hangfire Server using job storage: 'Hangfire.MemoryStorage.MemoryStorage'
2021-11-29 08:17:52 [INFO]  (Hangfire.BackgroundJobServer) Using the following options for Hangfire Server:
    Worker count: 5
    Listening queues: 'default'
    Shutdown timeout: 00:00:15
    Schedule polling interval: 00:00:15
2021-11-29 08:17:53 [INFO]  (Hangfire.Server.BackgroundServerProcess) Server xxxx:6904:126f15e3 successfully announced in 581.6578 ms
2021-11-29 08:17:53 [INFO]  (Hangfire.Server.BackgroundServerProcess) Server xxxx:6904:126f15e3 is starting the registered dispatchers: ServerWatchdog, ServerJobCancellationWatcher, ExpirationManager, CountersAggregator, Worker, DelayedJobScheduler, RecurringJobScheduler...
2021-11-29 08:17:53 [INFO]  (Hangfire.Server.BackgroundServerProcess) Server xxxx:6904:126f15e3 all the dispatchers started
[20:18:03 FTL] Application startup exception
System.InvalidOperationException: The Negotiate Authentication handler cannot be used on a server that directly supports Windows Authentication. Enable Windows Authentication for the server and the Negotiate Authentication handler will defer to it.
   at Microsoft.AspNetCore.Authentication.Negotiate.PostConfigureNegotiateOptions.PostConfigure(String name, NegotiateOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass11_0.<Get>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
   at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
   at Microsoft.AspNetCore.Authentication.Negotiate.Internal.NegotiateOptionsValidationStartupFilter.<>c__DisplayClass2_0.<Configure>b__0(IApplicationBuilder builder)
   at Microsoft.AspNetCore.Server.IISIntegration.IISSetupFilter.<>c__DisplayClass4_0.<Configure>b__0(IApplicationBuilder app)
   at Microsoft.AspNetCore.HostFilteringStartupFilter.<>c__DisplayClass0_0.<Configure>b__0(IApplicationBuilder app)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)
[20:18:09 FTL] Hosting startup assembly exception
System.InvalidOperationException: Startup assembly StartupBootstrapper failed to execute. See the inner exception for more details.
 ---> System.IO.FileNotFoundException: Could not load file or assembly 'StartupBootstrapper, Culture=neutral, PublicKeyToken=null'. The system cannot find the file specified.
File name: 'StartupBootstrapper, Culture=neutral, PublicKeyToken=null'
   at System.Reflection.RuntimeAssembly.InternalLoad(ObjectHandleOnStack assemblyName, ObjectHandleOnStack requestingAssembly, StackCrawlMarkHandle stackMark, Boolean throwOnFileNotFound, ObjectHandleOnStack assemblyLoadContext, ObjectHandleOnStack retAssembly)
   at System.Reflection.RuntimeAssembly.InternalLoad(AssemblyName assemblyName, RuntimeAssembly requestingAssembly, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, AssemblyLoadContext assemblyLoadContext)
   at System.Reflection.RuntimeAssembly.InternalLoad(AssemblyName assemblyName, StackCrawlMark& stackMark, AssemblyLoadContext assemblyLoadContext)
   at System.Reflection.Assembly.Load(AssemblyName assemblyRef)
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.ExecuteHostingStartups()
   --- End of inner exception stack trace ---

@Adam any idea?

Actually, just read this: Microsoft.AspNetCore.Hosting throws Startup assembly StartupBootstrapper failed to execute · Issue #14547 · dotnet/aspnetcore · GitHub
Seems there might be a conflict with how i’m enabling app insights, i’ll remove that bit of my deployment and test it again. Probably goofed myself here, I think I was just enabling app insights out of force of habit without really understanding the implication and didn’t realize I was shooting myself in the foot the whole time. :slight_smile:

EDIT:
So there was an issue with app insights causing one of the errors, but the issue still remains.
Clean app, code to deploy is the same, minus the EnvVars for app insights and the app insights extension.
Same thing, :man_facepalming: works initially then after a reboot I get the same “An error occured while starting the application”

Here’s the log this time:

[20:36:41 INF] Azure Web Sites environment detected. Using 'C:\home\ASP.NET\DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2021-11-29 08:36:42 [INFO]  (Hangfire.BackgroundJobServer) Starting Hangfire Server using job storage: 'Hangfire.MemoryStorage.MemoryStorage'
2021-11-29 08:36:42 [INFO]  (Hangfire.BackgroundJobServer) Using the following options for Hangfire Server:
    Worker count: 5
    Listening queues: 'default'
    Shutdown timeout: 00:00:15
    Schedule polling interval: 00:00:15
2021-11-29 08:36:42 [INFO]  (Hangfire.Server.BackgroundServerProcess) Server xxxx:7920:02dcbe18 successfully announced in 173.7503 ms
2021-11-29 08:36:42 [INFO]  (Hangfire.Server.BackgroundServerProcess) Server xxxx:7920:02dcbe18 is starting the registered dispatchers: ServerWatchdog, ServerJobCancellationWatcher, ExpirationManager, CountersAggregator, Worker, DelayedJobScheduler, RecurringJobScheduler...
2021-11-29 08:36:42 [INFO]  (Hangfire.Server.BackgroundServerProcess) Server xxxx:7920:02dcbe18 all the dispatchers started
[20:36:44 FTL] Application startup exception
System.InvalidOperationException: The Negotiate Authentication handler cannot be used on a server that directly supports Windows Authentication. Enable Windows Authentication for the server and the Negotiate Authentication handler will defer to it.
   at Microsoft.AspNetCore.Authentication.Negotiate.PostConfigureNegotiateOptions.PostConfigure(String name, NegotiateOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass11_0.<Get>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.get_Value()
   at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
   at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
   at Microsoft.AspNetCore.Authentication.Negotiate.Internal.NegotiateOptionsValidationStartupFilter.<>c__DisplayClass2_0.<Configure>b__0(IApplicationBuilder builder)
   at Microsoft.AspNetCore.Server.IISIntegration.IISSetupFilter.<>c__DisplayClass4_0.<Configure>b__0(IApplicationBuilder app)
   at Microsoft.AspNetCore.HostFilteringStartupFilter.<>c__DisplayClass0_0.<Configure>b__0(IApplicationBuilder app)
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.StartAsync(CancellationToken cancellationToken)

Hmm you’re a bit more advanced than me just by virtue of the fact you’re using the Az cmdlets and AppInsights. I’m still using the sample GitHub repo to push to Azure, and haven’t looked at AppInsights yet.

I have seen the Windows Auth error in our logs, but it hasn’t caused us any issues.

The couple of times where I’ve gotten into a knot and the app just fails to start, it’s mostly just been a case of redeploying. But that could be back when redeploying was nuking the database and resource folder because we didn’t have the environment variables set up to make the service persistent.

If there’s anything I can check for you in our Azure setup, let me know!

I’m only using the cmdlets because I was destroying and rebuilding during my troubleShooting too many times to be doing it manually :rofl:
What version of PSU are you running? I’d like to test the same, might narrow down the issue.
As for app insights, far as I know it’s built into PSU, there’s a place for a key in the app settings JSON, Not sure what I was really going for trying to configure it outside of that tbh, just force of habit :man_shrugging:t2:

It looks like it’s trying to enable negotiate authentication which won’t work when hosting in IIS because it performs it performs that auth on the proxy level and that’s why you would see that error.

PSU checks to see if it’s running in IIS by checking the APP_POOL_ID environment variable. I’m wondering if that is null for some reason. Can you try setting that variable to something to see if that error goes away? It’s a bit weird that this is working in one web app and not the other.

            var runningInIis = Environment.GetEnvironmentVariable("APP_POOL_ID") is not null;
            if (runningInIis)
            {
                services.AddTransient<IClaimsTransformation, ClaimsTransformation>();
            }
            else
            {
                authBuilder.AddNegotiate();
            }

I’m on 2.5.4 if it helps!

Its giving me an error in azure when attempting to set the var, stating it’ an invalid key name, presumably its protected from allowing people to set it manually.

Also just tested 2.5.4 from the path:
https://imsreleases.blob.core.windows.net/universal/production/2.5.4/Universal.win7-x64.2.5.4.zip
Still the same!
@mabster is your web app able to stop and start ok too?

Yep just stopped and started it to be sure. I think it has probably restarted multiple times since we set it up, as the secrets were working while they were in memory and then disappeared after a while.

This is baffling! AppInsights is the only thing left to try turning off to be the same as ours, I think.

Oh man I just went back to our PSU instance and was met with “An error occurred while starting the application.”

Will diagnose now. Maybe it doesn’t survive a restart after all!