Skip to main content
Solved

Indicium not starting on Azure

  • November 18, 2020
  • 1 reply
  • 145 views
R
Superhero
Forum|alt.badge.img+15

I'm trying to connect an IAM (2020.2) test database to Indicium 2020.2.12 at an Azure App Service, but I get stuck at a certain point. When I try to access the root directory of Indicium I get the following.

An error occurred while starting the application.
.NET Framework 4.8.4210.0 X64 v4.0.0.0    |   Microsoft.AspNetCore.Hosting version 2.2.0-rtm-35687    |    Microsoft Windows 10.0.14393   &

The logs says the following:

2020-11-18T15:13:39.0399438+00:00  [INF] Initiating startup license check (a070e428)
2020-11-18T15:13:39.1962080+00:00  [INF] Reading license from IAM. (d4563d62)
2020-11-18T15:13:39.4790579+00:00  [INF] License successfully read from IAM. (66b06fb5)
um.Startup.getOpenIdSigningCertificate() in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 658
   at Indicium.Startup.configureIdentityServer(IServiceCollection services) in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 605
   at Indicium.Startup.ConfigureServices(IServiceCollection services) in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 396
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.Initialize()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
2020-11-18T15:13:40.7273167+00:00  [INF] License refresh not required. Current license state: Valid. License valid until 2021-02-16T14:58:47 (9ee3df71)
2020-11-18T15:13:40.7408558+00:00  [INF] License refresh scheduled for 2020-12-18 14:58:47. (b8b05180)

If I change the database name in appSettings to the other IAM database (production), it works as expected.

I have no clue what's happening and why the test IAM database is not accessible via Indicium. It can be accessed via the webgui. What can I do?

Best answer by Tim Waalewijn

Hi René,

Going by that stack trace you’ve posted Indicium seems to have detected an OpenID configuration inside your IAM test database.

When this happens Indicium tries to load/create a certificate, from the user profile of the user that the application pool on IIS is running on, to sign tokens with.

The problem is that when the IIS application pool uses ApplicationPoolIdentity, which is the case on Azure App Services, there is no actual user profile unless the “Load user profile” option is set to true in the pool settings.

According to the Kudu wiki (https://github.com/projectkudu/kudu/wiki/Configurable-settings#add-user-profile-support-for-a-site) this can be achieved by adding a WEBSITE_LOAD_USER_PROFILE app setting to your Azure app and setting it to 1.

As stated in the wiki link this will only work for apps running in a Basic, Standard or Premium tier so make sure you are using one of those.

Alternatively you could of course also remove the OpenID configuration from the test IAM database.

View original
Did this topic help you find an answer to your question?
This topic has been closed for comments

1 reply

T
Moderator
Forum|alt.badge.img+1
  • Tim Waalewijn
  • Moderator
  • 33 replies
  • Answer
  • November 24, 2020

Hi René,

Going by that stack trace you’ve posted Indicium seems to have detected an OpenID configuration inside your IAM test database.

When this happens Indicium tries to load/create a certificate, from the user profile of the user that the application pool on IIS is running on, to sign tokens with.

The problem is that when the IIS application pool uses ApplicationPoolIdentity, which is the case on Azure App Services, there is no actual user profile unless the “Load user profile” option is set to true in the pool settings.

According to the Kudu wiki (https://github.com/projectkudu/kudu/wiki/Configurable-settings#add-user-profile-support-for-a-site) this can be achieved by adding a WEBSITE_LOAD_USER_PROFILE app setting to your Azure app and setting it to 1.

As stated in the wiki link this will only work for apps running in a Basic, Standard or Premium tier so make sure you are using one of those.

Alternatively you could of course also remove the OpenID configuration from the test IAM database.

Mark Jongeling
R
2 people like this
  • Mark Jongeling
    Mark Jongeling
  • R
    René W
Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings