Merge pull request #8804 from MicrosoftDocs/main

Auto push to live 2025-04-25 10:02:02

Author: Deland-Han

support/azure/virtual-machines/linux/support-linux-open-source-technology.md

@@ -4,7 +4,7 @@ description: Describes support for Linux distributions and open-source technolog
 ms.service: azure-virtual-machines
 ms.custom: sap:VM Admin - Linux (Guest OS), linux-related-content
 ms.topic: article
-ms.date: 03/28/2025
+ms.date: 04/25/2025
 ms.reviewer: patcatun, clausw, divargas, rondom, azurevmlnxcic, v-weizhu
 ---
 
@@ -35,6 +35,8 @@ Microsoft Azure supports the [Linux operating system](https://azure.microsoft.co
 Microsoft Support provides assistance for the Azure platform or services. Microsoft also provides commercially viable support for Linux. A support plan is required to receive Microsoft Support.
 
 - Azure Marketplace offers various Linux distributions. Microsoft provides support for Linux customers, but they might need to work with specific Linux vendors for further assistance. These vendors might be required to deliver distribution-specific fixes.
+  - **Red Hat and SUSE PAYG images:** Microsoft Support manages the first levels of Linux support and will engage the vendor if required.
+  - **Red Hat and SUSE BYOS images**: Customers might contact the vendor directly for support. The vendor is primarily responsible for Linux support; however, Microsoft can provide additional assistance if required.
 - In Azure Marketplace, you may select a highly customized Linux image, such as a firewall appliance. Microsoft provides assistance for these images, but the Linux vendor must be engaged to troubleshoot specific system-related problems. Microsoft may collaborate with the vendor for those issues.
 - Microsoft Support doesn't assist customers for basic Linux administration, design, architecture, or deployment of applications or solutions on Azure.
 - The ability to customize Linux is one of the hallmarks of the operating system. We encourage you to use a Linux solution that benefits your organization. However, the Linux vendor may not support some modifications, such as custom kernels or modules. For vendor support, you may be required to use stock kernels or libraries for your image.

support/entra/entra-id/app-integration/asp-dot-net-application-infinite-sign-in-loop.md

@@ -0,0 +1,145 @@
+---
+title: Infinite Sign-in Loop Between ASP.NET Application and Microsoft Entra ID
+description: Helps you resolve an infinite sign-in loop issue between an ASP.NET application and with Microsoft Entra ID when performing sign in.
+ms.date: 04/25/2025
+ms.reviewer: bachoang, v-weizhu
+ms.service: entra-id
+ms.custom: sap:Developing or Registering apps with Microsoft identity platform
+---
+
+# Infinite sign-in loop between ASP.NET application and Microsoft Entra ID
+
+This article provides solutions to an issue where an ASP.NET application experiences an infinite redirect loop during signing in with Microsoft Entra ID.
+
+## Symptoms
+
+An ASP.NET application running an earlier version of Open Web Interface for .NET (OWIN) middleware fails to recognize an authenticated request from Microsoft Entra ID. It keeps sending the request back to Microsoft Entra ID for signing in, leading to the infinite loop issue. The following error message might be displayed in the browser:
+
+> We couldn't sign you in. Please try again.
+
+## Cause
+
+This issue occurs due to a cookie mismanagement issue (a [known Katana bug](https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues)) in the earlier version of OWIN.
+
+### How to recognize the Katana bug
+
+Capture a Fiddler trace and examine one of the later redirect frames back to the web application. Note in the following screenshot, the request in frame 58 contains multiple OpenIdConnect.nonce cookies (red-circled). In a working scenario, you should only have one OpenIdConnect.nonce cookie set at the beginning before authentication. After the request is successfully authenticated, this nonce cookie is destroyed and ASP.NET sets its own session cookie. Because of this bug, you see a buildup of these nonce cookies.
+
+:::image type="content" source="media/asp-dot-net-application-infinite-sign-in-loop/openidconnet-nonce-cookies.png" alt-text="Screenshot that shows multiple OpenIdConnect nonce cookies." lightbox="media/asp-dot-net-application-infinite-sign-in-loop/openidconnet-nonce-cookies.png":::
+
+## Solution 1: Upgrade to ASP.NET Core
+
+The issue is resolved in ASP.NET Core and a later version of Katana OWIN for ASP.NET. To resolve this issue, upgrade your application to use ASP.NET Core.
+
+If you must continue to use ASP.NET, perform the following actions:
+
+- Update your application's Microsoft.Owin.Host.SystemWeb package to version 3.1.0.0 or later.
+- Modify your code to use one of the new cookie manager classes, for example:
+
+    ```csharp
+    app.UseCookieAuthentication(new CookieAuthenticationOptions 
+    { 
+        AuthenticationType = "Cookies", 
+        CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager() 
+    });
+    ```
+    or
+    
+    ```csharp
+    app.UseCookieAuthentication(new CookieAuthenticationOptions() 
+    { 
+        CookieManager = new SystemWebCookieManager() 
+    });
+    ```
+
+## Solution 2: Correct the redirect URL
+
+In some cases where the application is hosted under a virtual directory or an application instead of the root of the web site, [solution 1](#solution-1-upgrade-to-aspnet-core) might not work. For more information, see [Infinite re-direct loop after AAD Authentication when redirect is specified](https://stackoverflow.com/questions/44397715/infinite-re-direct-loop-after-aad-authentication-when-redirect-is-specified) and [Microsoft Account OAuth2 sign-on fails when redirect URL is not under the website root](https://github.com/aspnet/AspNetKatana/issues/203).
+
+For example, suppose you have the following environment:
+
+- The root of a web site: `https://mysite` – This site runs under *Application Pool 1*.
+- An application *test2* under the root: `https://mysite/test2` – This application runs under *Application Pool 2*.
+- Your ASP.NET application runs under the *test2* application with the following code:
+
+    ```csharp
+    public void Configuration(IAppBuilder app)
+            {
+                // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
+                app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
+                app.UseCookieAuthentication(new CookieAuthenticationOptions());
+                app.UseOpenIdConnectAuthentication(
+                    new OpenIdConnectAuthenticationOptions
+                    {
+                        // Sets the ClientId, authority, RedirectUri as obtained from web.config
+                        ClientId = clientId,
+                        Authority = authority,
+                        RedirectUri = "https://mysite/test2",
+                        // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
+                        PostLogoutRedirectUri = redirectUri,
+                        Scope = OpenIdConnectScope.OpenIdProfile,
+                        // ResponseType is set to request the id_token - which contains basic information about the signed-in user
+                        ResponseType = OpenIdConnectResponseType.IdToken,
+                        // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
+                        // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
+                        // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
+    
+                        // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
+                        
+                        Notifications = new OpenIdConnectAuthenticationNotifications
+                        {
+                            AuthenticationFailed = OnAuthenticationFailed
+                        }
+    
+                    }
+                );
+            }
+    ```
+
+- You use the following code to trigger the sign-in flow:
+    
+    ```csharp
+    public void SignIn()
+            {
+                if (!Request.IsAuthenticated)
+                {
+                    HttpContext.GetOwinContext().Authentication.Challenge(
+                        new AuthenticationProperties { RedirectUri = "/" },
+                        OpenIdConnectAuthenticationDefaults.AuthenticationType);
+                }
+            }
+    ```
+
+This scenario can result in an authentication infinite loop with a buildup of multiple OpenIdConnect.nonce cookies. The difference is that ASP.NET doesn't appear to set its authenticated session cookies. To resolve the issue in such scenario, set the redirect URLs in the OpenID Connect initialization code and the `Challenge` method (note the trailing slash in the redirect URL):
+
+```csharp
+app.UseOpenIdConnectAuthentication(
+                new OpenIdConnectAuthenticationOptions
+                {
+                    // Sets the ClientId, authority, RedirectUri as obtained from web.config
+                    ClientId = clientId,
+                    Authority = authority,
+                    RedirectUri = "https://mysite/test2/",
+                    // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
+                    PostLogoutRedirectUri = redirectUri,
+                    Scope = OpenIdConnectScope.OpenIdProfile,
+...
+```
+
+```csharp
+ public void SignIn()
+        {
+            if (!Request.IsAuthenticated)
+            {
+                HttpContext.GetOwinContext().Authentication.Challenge(
+                    new AuthenticationProperties { RedirectUri = "/test2/" },
+                    OpenIdConnectAuthenticationDefaults.AuthenticationType);
+            }
+        }
+```
+
+## References
+
+- [Infinite redirects with ASP.NET OWIN and OpenID Connect](https://varnerin.info/infinite-redirects-with-aspnet-owin-and-openid-connect/)
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/app-integration/media/asp-dot-net-application-infinite-sign-in-loop/openidconnet-nonce-cookies.png

@@ -63,6 +63,8 @@
         href: app-integration/enable-msal4j-logging-spring-boot-webapp.md
       - name: Repeated login prompts in iOS MSAL implementation
         href: app-integration/repeat-login-prompts-in-msal-ios-app.md
+      - name: Infinite sign-in loop issue with ASP.NET applications
+        href: app-integration/asp-dot-net-application-infinite-sign-in-loop.md
 
 
   - name: Troubleshoot adding apps
@@ -295,7 +297,6 @@
      items:
       - name: Python scripts making requests are detected as web crawlers
         href: users-groups-entra-apis/python-scripts-microsoft-graph-requests-detected-as-web-crawler.md
-
 - name: Microsoft Entra User Provisioning and Synchronization
   items:
   - name: User Sign-in or password Problems

support/entra/entra-id/toc.yml

@@ -0,0 +1,108 @@
+---
+title: Scripts to Check and Clean the AGPM Archive That Causes GPO Operation Issues
+description: Introduces a script to check and clean up the AGPM archive that might lead to GPO operation issues.
+ms.date: 04/25/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: garymu
+ms.custom:
+- sap:group policy\group policy management (gpmc or gpedit)
+- pcy:WinComm Directory Services
+---
+# Scripts: Check and clean up the AGPM archive that might lead to GPO operation issues
+
+_Applies to:_   Advanced Group Policy Manager 4.0 SP3
+
+The sample script included in this article can assist with archive inconsistencies that lead to errors in managing Group Policy Objects (GPOs) within the tool.
+
+Examples of errors that can occur if there's inconsistent information in the **gpostate.xml** file:
+
+```output
+Create GPO: Test...Failed.
+[Error] The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
+--------------------------------------------------------------------------------------------------------
+1 actions failed.
+```
+
+## Script
+
+Here's what the script does:
+
+1. Stops the Advanced Group Policy Management (AGPM) service.
+2. Scans the **gpostate.xml** file and removes references (if any) to archive nonexistent or incomplete GUID folders.
+3. Renames the **gpostate.xml** file with a timestamp if any changes are detected and saves a new **gpostate.xml** file.
+4. Starts the AGPM service.
+
+[!INCLUDE [Script disclaimer](../../includes/script-disclaimer.md)]
+
+```powershell
+Write-Host "Stopping AGPM Service"
+Stop-Service "AGPM Service" -ErrorAction Stop
+$AGPMArchivePath = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\AGPM" -Name "ArchivePath" -ErrorAction Stop
+$AGPMFile =$AGPMArchivePath + "gpostate.xml"
+[xml]$AGPMArchive = Get-Content -Path $AGPMFile -ErrorAction Stop
+$bChangesMade = $false
+foreach( $GPODomain in $AGPMArchive.Archive.GPODomain )
+{
+Write-Host "Processing archive information for domain: $($GPODomain.domain)"
+$ArchiveGPO = if( $GPODomain.GPO -is [array] ){ $GPODomain.GPO[0] } else { $GPODomain.GPO }
+While( $ArchiveGPO -ne $null )
+{
+$TempGPONext = $ArchiveGPO.NextSibling
+Write-Host "Checking GPO $($ArchiveGPO.id)"
+if( $ArchiveGPO.state.archiveId -ne $null ){
+$TestArchivePath = $AGPMArchivePath + $ArchiveGPO.state.archiveId
+if( -not (Test-Path $TestArchivePath ) )
+{
+Write-Host "$($ArchiveGPO.state.archiveId) is not in archive - Removing"
+$ArchiveGPO.ParentNode.RemoveChild($ArchiveGPO) > $null
+$bChangesMade = $true
+}
+}
+else
+{
+$ArchiveGPOHistoryItem = $ArchiveGPO.History.FirstChild
+While( $ArchiveGPOHistoryItem -ne $null )
+{
+$TempNext = $ArchiveGPOHistoryItem.NextSibling
+$TestArchivePath = $AGPMArchivePath + $ArchiveGPOHistoryItem.archiveId
+if( -not (Test-Path -Path $TestArchivePath) )
+{
+Write-Host "History '$($ArchiveGPOHistoryItem.archiveId)' for State '$($ArchiveGPOHistoryItem.state)' on '$($ArchiveGPOHistoryItem.time)' is not in archive - Removing"
+$ArchiveGPOHistoryItem.ParentNode.RemoveChild($ArchiveGPOHistoryItem) > $null
+$bChangesMade = $true
+}
+elseif( -not (Test-Path -Path ($TestArchivePath + "\bkupinfo.xml") ) )
+{
+Write-Host "'$($ArchiveGPOHistoryItem.archiveId)' does not have bkupinfo.xml - Removing"
+$ArchiveGPOHistoryItem.ParentNode.RemoveChild($ArchiveGPOHistoryItem) > $null
+$bChangesMade = $true
+}
+$ArchiveGPOHistoryItem = $TempNext
+}
+if( -not $ArchiveGPO.History.HasChildNodes )
+{
+Write-Host "GPO $($ArchiveGPO.id) has no History removing."
+$ArchiveGPO.ParentNode.RemoveChild($ArchiveGPO) > $null
+$bChangesMade = $true
+}
+}
+$ArchiveGPO = $TempGPONext
+}
+}
+if( $bChangesMade )
+{
+$BackupFileName = "gpostate\_bak\_$((Get-Date).ToString('yyyymmdd-hhmmss')).xml"
+Write-Host "Backing up gpostate.xml file to $BackupFileName"
+Move-Item -Path $AGPMFile -Destination ($AGPMArchivePath + $BackupFileName) -Force -ErrorAction Stop
+Write-Host "Saving updates"
+$AGPMArchive.Save($AGPMArchivePath + "gpostate.xml")
+}
+else
+{
+Write-Host "No Changes made."
+}
+Write-Host "Starting AGPM service."
+Start-Service "AGPM Service"
+```

support/windows-server/support-tools/scripts-check-and-cleanup-the-agpm-archive.md

@@ -3145,6 +3145,8 @@ items:
       href: ./support-tools/scripts-retrieve-profile-age-delete-aged-copies.md
     - name: Scripts to view the certificate information in the msDS-KeyCredentialLink attribute
       href: ./support-tools/script-to-view-msds-keycredentiallink-attribute-value.md
+    - name: 'Scripts to check and clean up the AGPM archive'
+      href: support-tools/scripts-check-and-cleanup-the-agpm-archive.md
   - name: TroubleShootingScript toolset (TSS)
     items:
     - name: Introduction to TroubleShootingScript toolset (TSS)