Set-AzureService : ForbiddenError: The server failed to authenticate the request.

I am trying to delopy app on Azure cloud with Teamcity CI and Powershell script in VM

When I try my scripts directly on VM powershell it works with no problem
But then i try the same using the poweshell build step it is giving me '

[05:14:33][Step 3/3] Set-AzureService : ForbiddenError: The server failed to authenticate the

[05:14:33][Step 3/3] request. Verify that the certificate is valid and is associated with this

[05:14:33][Step 3/3] subscription.

[05:14:33][Step 3/3] At line:1 char:1

[05:14:33][Step 3/3] + Set-AzureService -ServiceName $service -Label $deploymentLabel

[05:14:33][Step 3/3] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[05:14:33][Step 3/3] + CategoryInfo          : CloseError: (:) [Set-AzureService], ComputeCloud

[05:14:33][Step 3/3] Exception

[05:14:33][Step 3/3] + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagemen

[05:14:33][Step 3/3] t.HostedServices.SetAzureServiceCommand

[05:14:33][Step 3/3]

[05:14:34][Step 3/3] Create Azure Deployment

[05:14:36][Step 3/3] 8/19/2015 5:14 AM - No deployment is detected. Creating a new deployment.

[05:14:36][Step 3/3] 8/19/2015 5:14 AM - Creating New Deployment: In progress

[05:14:37][Step 3/3] New-AzureDeployment : ForbiddenError: The server failed to authenticate the

[05:14:37][Step 3/3] request. Verify that the certificate is valid and is associated with this

[05:14:37][Step 3/3] subscription.

[05:14:37][Step 3/3] At line:5 char:15

[05:14:37][Step 3/3] +     $opstat = New-AzureDeployment -Slot $slot -Package $package

[05:14:37][Step 3/3] -Configuration $ ...

[05:14:37][Step 3/3] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[05:14:37][Step 3/3] ~~~

[05:14:37][Step 3/3] + CategoryInfo          : CloseError: (:) [New-AzureDeployment], CloudExce

[05:14:37][Step 3/3] ption

[05:14:37][Step 3/3] + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagemen

[05:14:37][Step 3/3] t.HostedServices.NewAzureDeploymentCommand

[05:14:37][Step 3/3]

[05:14:38][Step 3/3] New-AzureDeployment : ForbiddenError: The server failed to authenticate the

[05:14:38][Step 3/3] request. Verify that the certificate is valid and is associated with this

[05:14:38][Step 3/3] subscription.

[05:14:38][Step 3/3] At line:5 char:15

[05:14:38][Step 3/3] +     $opstat = New-AzureDeployment -Slot $slot -Package $package

[05:14:38][Step 3/3] -Configuration $ ...

[05:14:38][Step 3/3] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[05:14:38][Step 3/3] ~~~

[05:14:38][Step 3/3] + CategoryInfo          : CloseError: (:) [New-AzureDeployment], CloudExce

[05:14:38][Step 3/3] ption

[05:14:38][Step 3/3] + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagemen

[05:14:38][Step 3/3] t.HostedServices.NewAzureDeploymentCommand

[05:14:38][Step 3/3]

[05:14:39][Step 3/3] New-AzureDeployment : ForbiddenError: The server failed to authenticate the

[05:14:39][Step 3/3] request. Verify that the certificate is valid and is associated with this

[05:14:39][Step 3/3] subscription.

[05:14:39][Step 3/3] At line:5 char:15

[05:14:39][Step 3/3] +     $opstat = New-AzureDeployment -Slot $slot -Package $package

[05:14:39][Step 3/3] -Configuration $ ...

[05:14:39][Step 3/3] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[05:14:39][Step 3/3] ~~~

[05:14:39][Step 3/3] + CategoryInfo          : NotSpecified: (:) [New-AzureDeployment], CloudEx

[05:14:39][Step 3/3] ception

[05:14:39][Step 3/3] + FullyQualifiedErrorId : Hyak.Common.CloudException,Microsoft.WindowsAzur

[05:14:39][Step 3/3] e.Commands.ServiceManagement.HostedServices.NewAzureDeploymentCommand

[05:14:39][Step 3/3]

[05:14:39][Step 3/3] Get-AzureDeployment : ForbiddenError: The server failed to authenticate the

[05:14:39][Step 3/3] request. Verify that the certificate is valid and is associated with this

[05:14:39][Step 3/3] subscription.

[05:14:39][Step 3/3] At line:6 char:27

[05:14:39][Step 3/3] +     $completeDeployment = Get-AzureDeployment -ServiceName $service -Slot

[05:14:39][Step 3/3] $slot

[05:14:39][Step 3/3] +

[05:14:39][Step 3/3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[05:14:39][Step 3/3] + CategoryInfo          : CloseError: (:) [Get-AzureDeployment], ComputeCl

[05:14:39][Step 3/3] oudException

[05:14:39][Step 3/3] + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagemen

[05:14:39][Step 3/3] t.HostedServices.GetAzureDeploymentCommand


I tried this :

 Remove-AzureAccount
Add-AzureAccount  
also
https://social.msdn.microsoft.com/Forums/en-US/eaed4b7d-6ac1-4692-acf2-c81b11932814/forbiddenerror-the-server-failed-to-authenticate-the-request-verify-that-the-certificate-is-valid?forum=azurescripting

But none is working out.

Can any one has any idea abot this ?

16 comments
Comment actions Permalink

Please make sure that user who runs teamcity build agent has all nesessary permissions.

0
Comment actions Permalink

Hi thanks for the reply Evgeniy Koshkin

But how to check the premissions for build agent ?  As I am a newbie to Teamcity I dont have much idea about it.

0
Comment actions Permalink

TeamCity build agent runs as windows service or from console on behalf of particular windows user. So you need to check if that user has all permissions required.

0
Comment actions Permalink

I have Teamcity Installed on Azure VM so how m i suppose to check that ?

0
Comment actions Permalink

I check teamcity is running under SYSTEM in VM.

0
Comment actions Permalink

Do you use your user account to run powershell manually? If so please make sure both users have same set of permissions.

0
Comment actions Permalink

I had logged in with Administator and the the permission set are same for both the user.
Does Teamcity uses some cetificate to comunicate with Azure Cloud ?
Because this issue came when i deleted Certificates on Azure.  

0
Comment actions Permalink

TeamCity doesn't do anything special with certificate.

0
Comment actions Permalink

So can you figure out why the powershell script is executing in Powershell when ran manually and not when with Teamcity build steps ?

Error :


Set-AzureService : ForbiddenError: The server failed to authenticate the

request. Verify that the certificate is valid and is associated with this

subscription.


https://devnet.jetbrains.com/message/5556352#5556352
0
Comment actions Permalink

Please try to run build agent via cmd, not as a windows service.

0
Comment actions Permalink

Could you please check that 'Add -NoProfile argument' in powershell step (under 'Advanced settings') is not checked?
If it is checked it might prevent your installed certificates from loading.

If unchecking this option does not help, you can try the following:
1) Login to the TeamCity Agent machine under the same user account as TeamCity Agent is launched.
2) Manually re-import your Azure certificates as described in the documentation https://msdn.microsoft.com/en-us/library/dn495124.aspx and https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/
3) Try to run your powershell script or simple command like 'Get-AzureSubscription' manually on the agent machine under the same user to make sure azure is set up correctly
4) Try the same from TeamCity build step. Make sure '-NoProfile' checkbox is not checked

0
Comment actions Permalink

Thanks Oleg Rybak for the Reply

As you mentioned  'Add -NoProfile argument'  in Powershell step : Uncheck that

At my side there is no such Checkbox visible nor Advance setting. I am using TeamCity Professional 7.1.5.
 
Can you please expain what can be done here ?

0
Comment actions Permalink

I see. There was no such option in 7.1.5 and -NoProfile was added later. You can just ignore it.
Nevertheless, try to follow the steps I have written to manually set up the certificate for proper user.

Also consider upgrading to newer version, as we have just released version 9.1 with a lot of new features

0
Comment actions Permalink

I had repeated the steps many times on VM
Even the Script file i am runnning in Powershell step works fine when run manually on VM powershell and the app gets deployed on azure service.
The error i get only when done by teamcity.
It fails in Powershell step.

0
Comment actions Permalink

I finally got the sloution

The error message that I got is

Set-AzureService : ForbiddenError: The server failed to authenticate the
request. Verify that the certificate is valid and is associated with this subscription.

It’s a bit misleading because as you can see in the code below (esp: last line), I did set the current storage but why did I get this message?

[05:14:33][Step 3/3] Set-AzureService : ForbiddenError: The server failed to authenticate the
[05:14:33][Step 3/3] request. Verify that the certificate is valid and is associated with this
[05:14:33][Step 3/3] subscription.
[05:14:33][Step 3/3] At line:1 char:1
[05:14:33][Step 3/3] + Set-AzureService -ServiceName $service -Label $deploymentLabel
[05:14:33][Step 3/3] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[05:14:33][Step 3/3] + CategoryInfo          : CloseError: (:) [Set-AzureService], ComputeCloud
[05:14:33][Step 3/3] Exception
[05:14:33][Step 3/3] + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.ServiceManagemen
[05:14:33][Step 3/3] t.HostedServices.SetAzureServiceCommand

The script was working fine when run in VM Powershell but failed when run with Teamcity.

To resolve this I followed the following Steps :

  • Open Windows Powershell on VM
  • Run "Get-AzurePublishSettingsFile". It will ask you to login to Azure and you will get the publish setting file for your Azure Subscription associated with your account.
  • Then run "Add-AzureAccount", It will ask you to login and your account will be added to powershell.
  • Login to Azure Portal (manage.windowsazure.com).
  • Go to Settings => Management Certificates section. Get the ThumbPrint of the recently added PublishSettingCertificate.
  • On Powershell run Import-AzurePublishSettingsFile "path of your publish setting file on VM"
  • run Add-AzureCertificate -serviceName "Your service Name" -certToDeploy (get-item cert:\CurrentUser\MY"Certificate ThumbPrint you got from Azure")
  • Finally "Get-AzureSubscription", to see the subscriptions added on Powershell.


Hope this helps some one :)

0
Comment actions Permalink

Great that the issue is resolved!

0

Please sign in to leave a comment.