Merge pull request #8899 from MicrosoftDocs/main

Auto push to live 2025-05-09 10:01:57

Author: Deland-Han

.openpublishing.redirection.json

@@ -13684,6 +13684,10 @@
       "source_path": "support/windows-server/active-directory/dcs-cannot-be-located-high-rate-outbound-sessions.md",
       "redirect_url": "/troubleshoot/windows-server/user-profiles-and-logon/dcs-cannot-be-located-high-rate-outbound-sessions"
     },
+    {
+      "source_path": "support/windows-server/active-directory/troubleshoot-errors-join-computer-to-domain.md",
+      "redirect_url": "/troubleshoot/windows-server/active-directory/networking-errors-join-computer-domain"
+    },    
     {
     "source_path": "support/power-platform/power-automate/desktop-flows/troubleshoot-excel-errors.md",
     "redirect_url": "/troubleshoot/power-platform/power-automate/desktop-flows/office-automation/excel/troubleshoot-excel-errors"

support/azure/azure-kubernetes/error-codes/vmextensionerror-oraspullnetworktimeout.md

@@ -0,0 +1,52 @@
+---
+title: OrasPullNetworkTimeoutVMExtensionError When Creating AKS Clusters
+description: Learn how to troubleshoot the OrasPullNetworkTimeoutVMExtensionError error (211) when you try to create and deploy an Azure Kubernetes Service (AKS) cluster.
+ms.date: 05/09/2025
+ms.reviewer: xinhl, v-weizhu
+ms.service: azure-kubernetes-service
+#Customer intent: As an Azure Kubernetes user, I want to troubleshoot the OrasPullNetworkTimeoutVMExtensionError error code (OrasPullNetworkTimeoutVMExtensionError (211)) so that I can successfully create and deploy an Azure Kubernetes Service (AKS) cluster.
+ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
+---
+# OrasPullNetworkTimeoutVMExtensionError error code (211) when deploying an AKS cluster
+
+This article discusses how to identify and resolve the `OrasPullNetworkTimeoutVMExtensionError` error (error code 211) that occurs when you try to create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
+
+## Symptoms
+
+When you try to create an AKS cluster with the outbound type `none` or `block`, you receive the following error message:
+
+> VMExtensionProvisioningError: VM has reported a failure when processing extension 'vmssCSE'.
+>
+> Error message: "Enable failed: failed to execute command: command terminated with exit status=211
+>
+> Bootstrap Container Registry is not reachable. Please check the network configuration and try again.
+
+## Cause
+
+For [network isolated cluster](/azure/aks/concepts-network-isolated), egress traffic is limited. The feature introduces private Azure Container Registry (ACR) cache that acts as a proxy to download necessary binaries or images from Microsoft Artifact Registry (MAR) for AKS bootstrap. VM instances connect to the private ACR via a private link. Incorrect configuration of the private link causes VM bootstrap Custom Script Extension (CSE) to fail.
+
+## Solution
+
+To resolve this issue, follow these steps:
+
+1. Retrieve the ACR resource ID that AKS uses as the bootstrap ACR by running the following command:
+
+    ```console
+    az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'bootstrapProfile.containerRegistryResourceId'
+    ```
+
+2. Verify the ACR cache rule. It should include `aks-managed-rule` with source repo `mcr.microsoft.com/*` and target repo `aks-managed-reposity/*`. Ensure no other cache rule exists with source or target repo as `*`, which override `aks-managed-rule`.
+
+3. Review the [container registry private link](/azure/container-registry/container-registry-private-link) to ensure that the connection configuration is correct, including the private Domain Name System (DNS) zone and private link.
+
+4. Access any failed VM instance using Secure Shell (SSH) and run curl on the ACR host. If successful, reconcile the cluster. If it still fails, return to step 3.
+
+## References
+
+- [General troubleshooting of AKS cluster creation issues](../create-upgrade-delete/troubleshoot-aks-cluster-creation-issues.md)
+
+- [Network isolated Azure Kubernetes Service (AKS) clusters](/azure/aks/concepts-network-isolated)
+
+- [Container registry private link](/azure/container-registry/container-registry-private-link)
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/azure/azure-kubernetes/error-codes/vmextensionerror-oraspullunauthorized.md

@@ -0,0 +1,65 @@
+---
+title: OrasPullUnauthorizedVMExtensionError When Creating AKS Clusters
+description: Learn how to troubleshoot the OrasPullUnauthorizedVMExtensionError error (212) when you try to create and deploy an Azure Kubernetes Service (AKS) cluster.
+ms.date: 05/09/2025
+ms.reviewer: xinhl, v-weizhu
+ms.service: azure-kubernetes-service
+#Customer intent: As an Azure Kubernetes user, I want to troubleshoot the OrasPullUnauthorizedVMExtensionError error code (OrasPullUnauthorizedVMExtensionError (212)) so that I can successfully create and deploy an Azure Kubernetes Service (AKS) cluster.
+ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool)
+---
+# OrasPullUnauthorizedVMExtensionError error code (212) when deploying an AKS cluster
+
+This article discusses how to identify and resolve the `OrasPullUnauthorizedVMExtensionError` error (error code 212) that occurs when you try to create and deploy a Microsoft Azure Kubernetes Service (AKS) cluster.
+
+## Symptoms
+
+When you try to create an AKS cluster with the outbound type `none` or `block`, you receive the following error message:
+
+> VMExtensionProvisioningError: VM has reported a failure when processing extension 'vmssCSE'.
+>
+> Error message: "Enable failed: failed to execute command: command terminated with exit status=212
+>
+> Bootstrap Container Registry authorization failed. Please ensure kubelet identity has pull access to the registry.
+
+## Cause
+
+For [network isolated cluster](/azure/aks/concepts-network-isolated), egress traffic is limited. The feature introduces private Azure Container Registry (ACR) cache that acts as a proxy to download necessary binary or images from Microsoft Artifact Registry (MAR) for AKS bootstrap. It's suggested to disable anonymous access to the ACR. The AKS node uses the kubelet identity to access the ACR. If the `acrpull` permission isn't set correctly or the kubelet identity isn't bound to the VM instance, an unauthorized error occurs.
+
+## Solution
+
+To resolve this issue, follow these steps:
+
+1. Access the VM instance using Secure Shell (SSH) to get the log file`/var/log/azure/cluster-provision.log`. Review the log to determine if the issue is related to a 401 error, Azure Instance Metadata Service (IMDS) connection time-out, or an identity not found with HTTP code 400.
+
+2. Retrieve the ACR resource ID that AKS uses as the bootstrap ACR by running the following command:
+
+    ```console
+    export REGISTRY_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'bootstrapProfile.containerRegistryId' -o tsv)
+    ```
+
+3. If the issue is related to a 401 error, check if the kubelet identity has the `acrpull` permission to the ACR by running the following command:
+
+    ```console
+    export KUBELET_IDENTITY_PRINCIPAL_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'identityProfile.kubeletidentity.clientId' -o tsv)
+    ```
+
+    If not, run the following command:
+
+    ```console
+    az role assignment create --role AcrPull --scope ${REGISTRY_ID} --assignee-object-id ${KUBELET_IDENTITY_PRINCIPAL_ID} --assignee-principal-type ServicePrincipal
+    ```
+
+4. If the log error indicates that the identity isn't found, manually bind the kubelet identity to the Virtual Machine Scale Set (VMSS) for a quick fix.
+
+5. If the issue is related to IMDS connection time-out, submit a support ticket.
+6. Reconcile the cluster if the preceding operations are completed.
+
+## References
+
+- [General troubleshooting of AKS cluster creation issues](../create-upgrade-delete/troubleshoot-aks-cluster-creation-issues.md)
+
+- [Network isolated Azure Kubernetes Service (AKS) clusters](/azure/aks/concepts-network-isolated)
+
+- [container registry authentication managed identity](/azure/container-registry/container-registry-authentication-managed-identity)
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/azure/azure-kubernetes/toc.yml

@@ -358,6 +358,10 @@
   items:
   - name: VMExtension error codes
     items:
+    - name: OrasPullNetworkTimeoutVMExtensionError
+      href: error-codes/vmextensionerror-oraspullnetworktimeout.md
+    - name: OrasPullUnauthorizedVMExtensionError
+      href: error-codes/vmextensionerror-oraspullunauthorized.md
     - name: VMExtensionError_CniDownloadTimeout error
       href: error-codes/vmextensionerror-cnidownloadtimeout.md
     - name: VMExtensionError_OutboundConnFail error

support/azure/virtual-machines/windows/in-place-system-upgrade.md

@@ -1,7 +1,7 @@
 ---
 title: In-place upgrade for supported VMs running Windows in Azure
 description: Understand how to work around the unsupported in-place system upgrade on an Azure VM that runs Windows.
-ms.date: 3/18/2025
+ms.date: 05/09/2025
 ms.reviewer: joscon, scotro, azurevmcptcic, maulikshah, yogitagohel, v-weizhu
 ms.service: azure-virtual-machines
 ms.collection: windows
@@ -47,7 +47,7 @@ In-place system upgrades are supported for specific versions of Azure Windows VM
 
 ### Windows versions not yet supported for in-place system upgrades (consider using a workaround)
 
-- Windows 10 and 11 Enterprise multi-session, all versions
+- Windows 10 and 11 Enterprise multi-session, all versions (upgrade from single-session)
 - Windows 8.1
 - Windows 7 Enterprise
 

support/entra/entra-id/app-integration/401-unauthorized-aspnet-core-web-api.md

@@ -0,0 +1,183 @@
+---
+title: Troubleshooting 401 Unauthorized Errors in ASP.NET Core Web API with Microsoft Entra ID Authentication
+description: Provides guidance for troubleshooting and resolving 401 Unauthorized errors in an ASP.NET Core Web API that uses Microsoft Entra ID authentication.
+ms.date: 04/28/2025
+ms.author: bachoang
+ms.service: entra-id
+ms.custom: sap:Developing or Registering apps with Microsoft identity platform
+---
+
+# 401 Unauthorized errors in ASP.NET Core Web API with Microsoft Entra ID 
+
+When you call an ASP.NET Core Web API that's secured by using Microsoft Entra ID authentication, you might encounter a "401 Unauthorized" error. This article provides guidance for using `JwtBearerEvents` to capture detailed logs to troubleshoot these errors.
+
+## Symptoms
+
+You use the `[Authorize]` attribute to [secure your ASP.NET Core Web API](/entra/identity-platform/tutorial-web-api-dotnet-core-build-app?tabs=workforce-tenant), as follows:
+
+```csharp
+[Authorize]
+public class MyController : ControllerBase
+{
+    ...
+}
+
+```
+
+Or
+
+```csharp
+
+public class MyController : ControllerBase
+{
+   [Authorize]
+   public ActionResult<string> Get(int id)
+   {
+       return "value";
+   }
+   ...
+}
+```
+
+When you call the web API, a "401 Unauthorized" response is returned, but the message contains no error details.
+
+## Cause
+
+The API might return a "401 Unauthorized" response in the following scenarios:
+
+- The request doesn't include a valid "Authorization: Bearer" token header.
+- The token is expired or incorrect:
+    - The token is issued for a different resource.
+    - The token claims don't meet the application's token validation criteria, as defined in the [JwtBearerOptions.TokenValidationParameters](/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbeareroptions.tokenvalidationparameters) class.
+
+## Solution
+
+To debug and resolve "401 Unauthorized" errors, use the `JwtBearerEvents` callbacks to capture and log detailed error information. Follow these steps to implement a custom error-handling mechanism.
+
+The `JwtBearerEvents` class has the following callback properties (invoked in the following order) that can help you to debug these "401 Access Denied" or "UnAuthorization" issues:
+
+- [`OnMessageRecieved`](/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbearerevents.onmessagereceived#Microsoft_AspNetCore_Authentication_JwtBearer_JwtBearerEvents_OnMessageReceived) is called first for every request.
+- [`OnAuthenticationFailed`](/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbearerevents.onauthenticationfailed) is called if the token doesn't pass the application's token validation criteria.
+- [`OnChallenge`](/dotnet/api/microsoft.aspnetcore.authentication.jwtbearer.jwtbearerevents.onchallenge) is called last before a "401" response is returned.
+
+### Step 1: Enable PII logging
+
+By default, personally identifiable information (PII) logging is disabled. Enable it in the **Configure** method of the Startup.cs file for debugging.
+
+> [!Caution]
+> Use 'Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true' only in a development environment for debugging. Do not use it in a production environment.
+
+```csharp
+public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+{
+    if (env.IsDevelopment())
+    {
+        app.UseDeveloperExceptionPage();
+    }
+    else
+    {
+        // The default HSTS value is 30 days. You might want to change this value for production scenarios. See https://aka.ms/aspnetcore-hsts.
+        app.UseHsts();
+    }
+    // turn on PII logging
+    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
+
+    app.UseHttpsRedirection();
+    app.UseAuthentication();
+    app.UseMvc();
+}  
+```
+
+### Step 2: Create a utility method to format exception messages
+
+Add a method to format, and flatten any exception messages for better readability:
+
+```csharp
+public static string FlattenException(Exception exception)
+{
+    var stringBuilder = new StringBuilder();
+    while (exception != null)
+    {
+        stringBuilder.AppendLine(exception.Message);
+        stringBuilder.AppendLine(exception.StackTrace);
+        exception = exception.InnerException;
+    }
+    return stringBuilder.ToString();
+}
+```
+
+### Step 3: Implement JwtBearerEvents callbacks
+
+Configure the `JwtBearerEvents` callbacks in the `ConfigureServices` method of *Startup.cs* to handle authentication events and log error details:
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+....
+    .AddJwtBearer(options =>
+    {
+        options.Authority = "https://login.microsoftonline.com/<Tenant>.onmicrosoft.com";
+        // if you intend to validate only one audience for the access token, you can use options.Audience instead of
+        // using options.TokenValidationParameters which allow for more customization.
+        // options.Audience = "10e569bc5-4c43-419e-971b-7c37112adf691";
+
+        options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+        {
+            ValidAudiences = new List<string> { "<Application ID URI>", "10e569bc5-4c43-419e-971b-7c37112adf691" },
+            ValidIssuers = new List<string> { "https://sts.windows.net/<Directory ID>/", "https://sts.windows.net/<Directory ID>/v2.0" }
+        };
+                
+        options.Events = new JwtBearerEvents
+        {
+            OnAuthenticationFailed = ctx =>
+            {
+                ctx.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                message += "From OnAuthenticationFailed:\n";
+                message += FlattenException(ctx.Exception);
+                return Task.CompletedTask;
+            },
+
+            OnChallenge = ctx =>
+            {
+                message += "From OnChallenge:\n";
+                ctx.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                ctx.Response.ContentType = "text/plain";
+                return ctx.Response.WriteAsync(message);
+            },
+
+            OnMessageReceived = ctx =>
+            {
+                message = "From OnMessageReceived:\n";
+                ctx.Request.Headers.TryGetValue("Authorization", out var BearerToken);
+                if (BearerToken.Count == 0)
+                    BearerToken = "no Bearer token sent\n";
+                message += "Authorization Header sent: " + BearerToken + "\n";
+                return Task.CompletedTask;
+            },
+#For completeness, the sample code also implemented the OnTokenValidated property to log the token claims. This method is invoked when authentication is successful
+            OnTokenValidated = ctx =>
+            {
+                Debug.WriteLine("token: " + ctx.SecurityToken.ToString());
+                return Task.CompletedTask;
+            }
+        };
+    });
+...
+}
+```
+
+### Sample results
+
+When you implement `JwtBearerEvents` callbacks, if a "401 Unauthorized" error occurs, the response output should include such details as the following example:
+
+```Output
+OnMessageRecieved:
+
+Authorization Header sent: no Bearer token sent.
+```
+
+If you use the API development tool to debug the request, you should receive error details, as shown in the following screenshot.
+
+:::image type="content" source="media/401-unauthorized-aspnet-core-web-api/wrong-token.png" alt-text="Screenshot of error details in the API development tool." lightbox="media/401-unauthorized-aspnet-core-web-api/wrong-token.png":::
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]