asp.net-mvc docker asp.net-web-api azure-service-fabric azure-container-registry

Service fabric hosted Asp.net WebApi Container application : 403 - Forbidden : Access is denied. on local cluster

I'm trying to do a lift and shift of a Asp.net MVC application . I've containarized my Asp.Net WebApi application and deployed it AzureContainerRegistry and i'm referencing the container in a service fabric application. My ServiceManifest looks like this

<?xml version="1.0" encoding="utf-8"?>
<ServiceManifest Name="BookingApiServicePkg"
                 Version="1.0.0"
                 xmlns="http://schemas.microsoft.com/2011/01/fabric"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <ServiceTypes>
    <StatelessServiceType ServiceTypeName="BookingApiServiceType" UseImplicitHost="true" />
  </ServiceTypes>


  <CodePackage Name="Code" Version="1.0.0">
    <EntryPoint>
      <ContainerHost>
        <ImageName>bookingacr.azurecr.io/bookingapi</ImageName>
      </ContainerHost>
    </EntryPoint>
  </CodePackage>

  <ConfigPackage Name="Config" Version="1.0.0" />    
  <Resources>
    <Endpoints>
      <Endpoint Name="BookingApiServiceTypeEndpoint"   Port="62651"  UriScheme="http" Protocol="http"/>
    </Endpoints>
  </Resources>
</ServiceManifest>

And the Application manifest looks like this

<ApplicationManifest ApplicationTypeName="BookingApiType"
                     ApplicationTypeVersion="1.0.0"
                     xmlns="http://schemas.microsoft.com/2011/01/fabric"
                     xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Parameters>
    <Parameter Name="BookingApiService_InstanceCount" DefaultValue="-1" />
  </Parameters>     
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="BookingApiServicePkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides />
    <Policies>
      <ContainerHostPolicies CodePackageRef="Code" ContainersRetentionCount="2"  RunInteractive="true">
        <HealthConfig IncludeDockerHealthStatusInSystemHealthReport="true" RestartContainerOnUnhealthyDockerHealthStatus="false" />
        <PortBinding ContainerPort="80" EndpointRef="BookingApiServiceTypeEndpoint" />
      </ContainerHostPolicies>
    </Policies>
  </ServiceManifestImport>
  <DefaultServices>   
    <Service Name="BookingApiService" ServicePackageActivationMode="ExclusiveProcess">
      <StatelessService ServiceTypeName="BookingApiServiceType"  InstanceCount="[BookingApiService_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
  </DefaultServices>
</ApplicationManifest>

The Url that gets generated is the MachineName:PortNumber (http://desktopm423:62651on my local system) but when accessing it it shows a

403 - Forbidden: Access is denied.

when deployed to a ServiceFabric instance i get and IP Address and the message is

Service Not found

Solution

It looks like you have a certificate service fabric certificate problem , you have to add all your certificate in the computer local Cert/ root and in all the current user cert

As long as you do not configure any Andmin Client Certificate all your request to the Explorer (:19080/Explorer) end up with an 403.

You can add an Thumbprint of an Admin Client Certificate in the Portal:

Following is the ARM setting for the same:-

{
  "type": "Microsoft.ServiceFabric/clusters",
  ...
  "properties": {
    ...
    "ClientCertificateThumbprints": [
      {
        "CertificateThumbprint": "THUMBPRINT_HERE",
        "IsAdmin": true
      }
    ],
  ...
  }
}