在服务管理API上调用任何方法时出错

Question

I'm looking to start an Azure runbook from ac# application which will be hosted on an Azure web app.

I'm using certificate authentication (in an attempt just to test that I can connect and retrieve some data)

Here's my code so far:

var cert = ConfigurationManager.AppSettings["mgmtCertificate"];

var creds = new Microsoft.Azure.CertificateCloudCredentials("<my-sub-id>",
new X509Certificate2(Convert.FromBase64String(cert)));

var client = new Microsoft.Azure.Management.Automation.AutomationManagementClient(creds, new Uri("https://management.core.windows.net/"));
var content = client.Runbooks.List("<resource-group-id>", "<automation-account-name>");

Every time I run this, no matter what certificate I use I get the same error:

An unhandled exception of type 'Hyak.Common.CloudException' occurred in Microsoft.Threading.Tasks.dll

Additional information: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.

I've tried downloading the settings file which contains the automatically generated management certificate you get when you spin up the Azure account... nothing I do will let me talk to any of the Azure subscription

Am I missing something fundamental here?

Edit: some additional info...

So I decided to create an application and use the JWT authentication method.

I've added an application, given the application permissions to the Azure Service Management API and ensured the user is a co-administrator and I still get the same error, even with the token...

const string tenantId = "xx";
const string clientId = "xx";

var context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId));

var user = "<user>";
var pwd = "<pass>";
var userCred = new UserCredential(user, pwd);

var result = context.AcquireToken("https://management.core.windows.net/", clientId, userCred);

var token = result.CreateAuthorizationHeader().Substring("Bearer ".Length);  // Token comes back fine and I can inspect and see that it's valid for 1 hour - all looks ok...

var sub = "<subscription-id>";
var creds = new TokenCloudCredentials(sub, token);
var client = new AutomationManagementClient(creds, new Uri("https://management.core.windows.net/"));

var content = client.Runbooks.List("<resource-group>", "<automation-id>");

I've also tried using other Azure libs (like auth, datacentre etc) and I get the same error:

ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.

I'm sure it's just 1 tickbox I need to tick buried somewhere in that monolithic Management Portal but I've followed a few tutorials on how to do this and they all end up with this error...

Answer 1

Ensure that your Management certificate has private key and was not made from the .CER file. The fact that you're not supplying a password when generating the X509Certificate object makes me think you're using public key only

Ensure that your Managemnet's certificate public key (.CER file) has been uploaded to the Azure management portal (legacy version, Management Certificate area)

Use CertificateCloudCredentials and not any other credential type of an object

Answer 2

    public async Task StartAzureRunbook()
    {
        try
        {
            var subscriptionId = "azure subscription Id";
            string base64cer = "****long string here****"; //taken from http://stackoverflow.com/questions/24999518/azure-api-the-server-failed-to-authenticate-the-request

            var cert = new X509Certificate2(Convert.FromBase64String(base64cer));

            var client = new Microsoft.Azure.Management.Automation.AutomationManagementClient(new CertificateCloudCredentials(subscriptionId, cert));
            var ct = new CancellationToken();

            var content = await client.Runbooks.ListByNameAsync("MyAutomationAccountName", "MyRunbookName", ct);


            var firstOrDefault = content?.Runbooks.FirstOrDefault();
            if (firstOrDefault != null)
            {
                var operation = client.Runbooks.Start("MyAutomationAccountName", new RunbookStartParameters(firstOrDefault.Id));
            }
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.ToString());
        }
    }       

Also in portal: 1) Application is multitenant 2) Permissions to other applications section - Windows Azure Service Manager - Delegated permissions "Access Azure Service Management(preview)"

Answer 3

Ok, stupid really but one of the tutorials I followed suggested installing the prerelease version of the libs.

Installing the preview (0.15.2-preview) has fixed the issue!