IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Azure

Azure: Azure AD Application Proxy. Kerberos issue

One of my Customers asked about MFA for his on-prem Outlook. I offered several solutions, one of them – publish OWA site via Azure AD Application Proxy and pre-authenticate with Azure AD and MFA.

To be sure the configuration will work I built a Lab and tried to configure SSO for Internal Windows Authentication (IWA).

This configuration requires I configure Kerberos Constrained Delegation (KCD) in Active Directory and configure Delegation in Properties of a machine where I have my Azure AD Proxy Connector installed.

Everything looked easy on paper byt when I tried it in Active Directory Users and Computer MMC I received nice error: “The server is unwilling to proceed the request”


After unsuccessful googling I opened a case with Microsoft – that was a brand new domain, just couple of servers and I definitely expected everything working out of the box.

After couple of days of troubleshooting the only solution MS suggested was using an Active Directory Administrative Center instead of MMC. Even with that the first attempt failed with “Unknown error”. After the Center was restarted we could finally configure the delegation. No root cause found.

Azure: How to configure MFA when Classic Portal is not available

My company provides CSP Azure subscription for our Customers. To make life more exciting Microsoft remove Classic Portal support from CSP. So we can use new and shiny ARM-based portal only.

When time come to configure Azure AD fun begins. Azure AD node is available in the new portal as ‘preview’ and miss some features from the old portal. Recently I had fun with license assigning, today I needed to assign MFA to accounts. Fun, fun, fun….

Anyway, as in the first case helped. This portal is available for CSP and have some missing features of the classic portal. For example to add MFA to a user:


1. start

2. goto Users->Active Users

3. Click ‘More’


4. Click “Setup Azure Multi-factor auth’ That will open MFA portal for you

5. Configure MFA for a user or users in bulk

Azure: Use SAS token as a parameter

I recently bumped into an issue trying to pass a Shared Access Signature (SAS) token to my ARM template to be able to connect sub-templates securely. Even though SAS token looked perfectly fine in Powershell New-AzureRMDeployment cmdlet failed with the following error: Error: Code=InvalidTemplate; Message=Deployment template validation failed: ‘The provided value for the template parameter ‘_artifactsLocationSasToken’. I tried both securestring and string- no luck. A colleague of mine Jules Ouellette helped me with a solution – the token is generated as an object and must be converted to a string before passing as a Parameter: _artifactsLocationSastoken = $artifactslocationsastoken.toString()  After that conversion the token was successfully accepted as a parameter. 

Azure: Migrated VM cannot start with 0x000000e

I recently migrated some VMs to Azure for one of my Customers. VMs were in Production and the Customer was not ready to switch IP address to DHCP before migration. Unfortunately neither ASR nor MVMC was an option and I stopped on Disk2VHD tool by Mark Russinovich following PowerShell Add-AzureVHD cmdlet for the VHD upload.

To speed up the process I connected an empty virtual disk to the migrated machine and save VHD on it. After the VHD was captured by the tool I mounted it and edited registry to enable DHCP on its network adapter.

That was a mistake (I found that hard way after several hours of uploading the VHD to Azure). The VM built from the VHD failed to start. Fortunately we can now see Boot Diagnostics, so I found the VM failed with

Status: 0x000000e

Info: The boot selection failed because a required device is inaccessible.


Internet brought nothing about VM migration to Azure with such error Sad smile

I finally found an article from Mark himself where he described exactly scenario I had (except migration to Azure). The main point – never open captured VHD on the same machine where the source disk is. That will break disk signature on VHD and it become unbootable.

Fortunately Mark described how to fix the signature.

1. Mount the VHD in Disk Manager (it should give its volumes letters since there is no signature conflict at that point)

2. Load DCD hive (located under hidden \Boot folder in root of one of the volumes) to regedit

3. Search for “Windows Boot Manager”

4. Open key 11000001 under the same elements

5. Double Click Element reg value in this key and look for Offset 0x38. We need first four bytes

6. Write down the bytes in reverse order (last byte first, third one after that, then second one and the first byte) . For example if you have four first bytes in 0x38 offset as 38 d5 5C C0 your disk signature will be c05cd538

7. Unload hive and close regedit

8. Start Diskpart tool and connect to the disk you are fixing

9. Invoke the DISKPART command:   uniqueid disk id=c05cd538   (change signature to yours). At this point you should see VHD going offline in Disk Manager due to signature conflict with the source drive. This is expected, do not bring it online

10. Unmount VHD

At this point the disk signature should be fixed and disk is expected to be bootable again.

Azure: Regional Data Center is not available for resource deployment

Recently Microsoft made Canadian Data Centres available and I tried to put some workload there.

I tried to create a Resource Group and figured out Canada Central is not an available region to place RG into.

After googling/troubleshooting I was found a Microsoft.Compute provider must be re-registered for my Azure subscription. So I made it from PowerShell:

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Compute

After some time Canadian region appeared for Resource Group, Storage Account and VM resources. But, when I tried to add a VNet to the RG Canada Central was not available for that resource again.

After some troubleshooting with help of Microsoft it turned out Microsoft.Network should be re-registered too

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

Lesson learnt: if anything else will not be available for my region I probably need to find a resource provider to restart.

Azure: Amazon-Azure feature comparison

Microsoft published it her:

remember both platforms are constantly changing.

Azure: How to save drive letters during Azure Site Recovery (ASR)?

Update: Article is working for Classic ASR only. For Enhanced ASR Microsoft added the policy to the recovered machine automatically, so you do not need to tweak the policy in on-prem machine.


By setting the SAN policy to “OnlineAll,” you can make sure that the drive letter is maintained when the virtual machine starts to run in Azure (i.e. you will have Drive D: assigned to your drive and Azure scratch disk will be at the end).
To view the current SAN policy from the guest system, follow these steps:

  1. On the VM (not on the host server), open an elevated Command Prompt window.
  2. Type diskpart.
  3. Type SAN.

If the drive letter of the guest operating system is not maintained, this command returns either “Offline All” or “Offline Shared.”
To make sure that all disks are brought online and are both readable and writeable, set the SAN policy to OnlineAll. To do this, run the following command at the DISKPART prompt:


After you make this change, wait for the Copy Frequency (Recovery Point Objective) value to be configured to make sure that the changes are replicated to Azure. Then, run a test failover to verify whether the drive letters are preserved.


This Microsoft Article is gold!


Update: Article is working for Classic ASR only. For Enhanced ASR Microsoft added the policy to the recovered machine automatically, so you do not need to tweak the policy in on-prem machine.

Azure: Journey to ARM

Azure: Working with Templates in Azure Resource Manager

Azure: Use Azure Key Vault to save passwords