Azure-docs: Network Requirements

Thanks for the feedback! We are currently investigating and will update you shortly.

@Klaas First of all, I want to call out that AADLoginForLinux extension is currently in Preview and we do not provide support for the Preview features. https://github.com/MicrosoftDocs/azure-docs/issues/14602

This feature is in preview and is not recommended for use with production virtual machines or workloads. Use this feature on a test virtual machine that you expect to discard after testing.

Regarding your feedback about the document lacking network requirements, I have assigned the issue to the content author to investigate further and update the document as appropriate.

@Karishma-Tiwari-MSFT I am aware of the preview status, I do not ask for support I mainly point out that the network requirements are missing from docs.

this would be awesome. Especially when privately connected using Express Routes.

I have been trying a few setups with NSGs and it works when I allow outbound traffic to the service tags AzureCloud and ActiveDirectory and deny all the other internet outbound traffic.

Of course the service tag AzureCloud is way too permissive and it would be great to have documentation that says what is the right way to go about this.

Maybe adding ActiveDirectory as service endpoint in the subnet might work, I have not tried that.

@deosandeep @yyanev Can either of you please share your insights and suggest how can we help our customers on this issue. Thanks :)

@Karishma-Tiwari-MSFT can you reassign this issue to @deosandeep to see if he can help? Thanks!

Suggested edits to the document

Logs for the service can be found in
Ubuntu /var/log/auth.log
RedHat …
CentOS …

You can find errors related to the service by grepping for
pam_aad

Errors like
pam_aad(sshd:auth): CURL: Failed to call https://pas.windows.net/CheckMyAccess?api-version=2018-01-01 (35) indicate the server is not able to communicate with the device login service.

The AADLoginforLinux service is dependent on communication with pas.windows.net, this needs to be allowed in upstream firewalls, or proxies, including Azure Firewall.

RHEL/CentOS would be /var/log/secure; it's more than just pas.windows.net, if you enable debug mode for the pam module you'll see the urls it calls in logs

Then please also add detailed instructions for enabling debug mode. I would also suggest passing on the dependencies to the Azure Firewall team so these become part of the "azure service" rules out of the box. Debugging this is painful.

@albrokke add debug to the pam configs
ie:
/etc/pam.d/password-auth-aad and /etc/pam.d/system-auth-aad
and add debug at the end of every line containing pam_aad.so
(I'm not with MS, just a user)

and just for public visibility the https://pas.windows.net/CheckMyAccess?api-version=2018-01-01 does not support group inherited rights as of now; just received that information today as part of a support call

Can this work with XRDP (and a desktop, such as XFCE4)?

I can login using AAD via SSH, but when I try to login with AAD creds from XFCE4 (via RDP) I get the following error in auth.log;

xrdp-sesman: pam_aad(xrdp-sesman:auth): Failed to invoke PAM_CONV

I'm not well versed in Linux but I'm wondering if there is a missing configuration that would allow XRDP & the AAD auth module to work together. Any suggestions?

No it will not work with XRDP at this time. Only via SSH.

Thanks @MicahMcKittrick.

My requirement is that users can RDP to an Ubuntu 16.04 VM in Azure from our on-premise network and be authenticated using their AAD credentials. Would it be more appropriate to domain join the VMs? Thanks.

Phil

Correct. That would be the path to take for now :)

Thanks for your feedback. The doc has been updated to include network requirements for Azure AD authentication for Linux VMs in Azure.

@SanDeo-MSFT You should be using commit messages like this: https://help.github.com/en/github/managing-your-work-on-github/closing-issues-using-keywords#closing-an-issue-in-the-same-repository

That would auto close the issue and create a link between the commit and this issue; also it would be a way better commit message than "Update login-using-aad.md" :)

For reference: Issue is fixed by 69e3426172ac16dc5611888ca6e4e5c10eb27c01