The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription

Question

Trying to script to automate deployement in Azure on VM created on Azure. Everything was just dandy yesterday. I did the setup and alI the services were deploying to their respective subscription.

There were also a number of Azure management certificates hanging around in my certificates area. I've cleared them all out since all but one were very old. I then re-imported the latest publish settings file hoping that by starting from the beginning, everything would be happy again.

And then I logged in today, ran one of my deployment and it said:

The server failed to authenticate the request. 
Verify that the certificate is valid and is associated with this subscription.

No problem, just use the handy-dandy add-azureaccount, it logs me back in, re-run the deployment and again it says:

Set-AzureService : ForbiddenError: The server failed to authenticate the
request. Verify that the certificate is valid and is associated with this
subscription.

Does any one has any idea about how to get authenticate to server ?

All this automation I am doing on A VM created on Azure and installed Teamcity on VM. When i try to run the scripts directly on VM Powershell it works fine But the error occurs when i try to run the Teamcity configuration, It fails in PowerShell Build Step.

It though returns the subscriptions that are there on VM by the command Get-AzureSubscription

[11:31:07][Step 3/3] SubscriptionId : *******

[11:31:07][Step 3/3] SubscriptionName : ****

[11:31:07][Step 3/3] Environment : AzureCloud

[11:31:07][Step 3/3] SupportedModes : AzureServiceManagement

[11:31:07][Step 3/3] DefaultAccount : *******

[11:31:07][Step 3/3] Accounts : *******

[11:31:07][Step 3/3] IsDefault : True

[11:31:07][Step 3/3] IsCurrent : True

[11:31:07][Step 3/3] CurrentStorageAccountName : *******

[11:31:07][Step 3/3] TenantId :

[11:31:07][Step 3/3] SubscriptionId : *******

[11:31:07][Step 3/3] SubscriptionName : *******

[11:31:07][Step 3/3] Environment : AzureCloud

[11:31:07][Step 3/3] SupportedModes : AzureServiceManagement

[11:31:07][Step 3/3] DefaultAccount : *******

[11:31:07][Step 3/3] Accounts : *******

[11:31:07][Step 3/3] IsDefault : False

[11:31:07][Step 3/3] IsCurrent : False

[11:31:07][Step 3/3] CurrentStorageAccountName : tarifficapi

[11:31:07][Step 3/3] TenantId :

[11:31:07][Step 3/3]

[11:31:07][Step 3/3]

[11:31:07][Step 3/3]

[11:31:21][Step 3/3] Set-AzureService : ForbiddenError: The server failed to >authenticate the

[11:31:21][Step 3/3] request. Verify that the certificate is valid and is >associated with this

[11:31:21][Step 3/3] subscription.

[11:31:21][Step 3/3] At line:1 char:1

[11:31:21][Step 3/3] + Set-AzureService -ServiceName $service -Label $deploymentLabel

[11:31:21][Step 3/3] + >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [11:31:21][Step 3/3] + CategoryInfo : CloseError: (:) [Set->AzureService], ComputeCloud

[11:31:21][Step 3/3] Exception

[11:31:21][Step 3/3] + FullyQualifiedErrorId : >Microsoft.WindowsAzure.Commands.ServiceManagemen

[11:31:21][Step 3/3] t.HostedServices.SetAzureServiceCommand

Can any one has idea whats going wrong here ?

Answer 1

I finally got the solution

The error message that I got was

Set-AzureService : ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this >subscription.

It’s a bit misleading because as you can see in the code below (esp: last line), I did set the current storage but why did I get this message?

[05:14:33][Step 3/3] Set-AzureService : ForbiddenError: The server failed to >authenticate the [05:14:33][Step 3/3] request. Verify that the certificate is valid and is >associated with this [05:14:33][Step 3/3] subscription. [05:14:33][Step 3/3] At line:1 char:1 [05:14:33][Step 3/3] + Set-AzureService -ServiceName $service -Label >$deploymentLabel [05:14:33][Step 3/3] + >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [05:14:33][Step 3/3] + CategoryInfo : CloseError: (:) [Set->AzureService], ComputeCloud [05:14:33][Step 3/3] Exception [05:14:33][Step 3/3] + FullyQualifiedErrorId : >Microsoft.WindowsAzure.Commands.ServiceManagemen [05:14:33][Step 3/3] t.HostedServices.SetAzureServiceCommand

The script was working fine when run in VM Powershell but failed when run with Teamcity.

To resolve this I followed the following Steps :

Open Windows Powershell on VM

• Run "Get-AzurePublishSettingsFile". It will ask you to login to Azure and you will get the publish setting file for your Azure Subscription associated with your account.
• Then run "Add-AzureAccount", It will ask you to login and your account will be added to powershell. Login to Azure Portal (manage.windowsazure.com).
• Go to Settings => Management Certificates section. Get the ThumbPrint of the recently added PublishSettingCertificate.
• On Powershell run Import-AzurePublishSettingsFile "path of your publish setting file on VM"
• Run Add-AzureCertificate -serviceName "Your service Name" -certToDeploy (get-item cert:\CurrentUser\MY"Certificate ThumbPrint you got from Azure") Finally "Get-AzureSubscription", to see the subscriptions added on Powershell.

Hope this helps some one :)

Answer 2

Is the user you used in PowerShell directly on the VM the same as the one configured for TeamCity?

I had the same error when I was trying to get the Azure subscriptions via PowerShell using Get-AzureSubscription in an Azure Runbook. It might be that our credential had some RBAC configuration issues.

In my case I created a new (organizational) account and used that instead, which solved my problem. Maybe worth trying?