`az login` fails: OSError: [WinError -2146893813]

[vperala]

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az login

Errors:

The command failed with an unexpected error. Here is the traceback:
[WinError -2146893813] : ''
Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 657, in execute
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 691, in _run_job
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 145, in login
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 121, in login_with_auth_code
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1488, in acquire_token_interactive
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 660, in obtain_token_by_browser
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 714, in _obtain_token_by_authorization_code
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 771, in _obtain_token
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 523, in <lambda>
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 307, in add
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 113, in add
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 184, in __add
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 44, in modify
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 35, in _reload_if_necessary
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/persistence.py", line 172, in load
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/windows.py", line 111, in unprotect
OSError: [WinError -2146893813] : ''

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az login

Expected Behavior

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.30.0

Additional Context

[yonzhan]

This is the parent issue of "WinError -2146893813"

[jiasli]

+ MSAL developer @rayluo

Same as https://github.com/Azure/azure-cli/issues/17186 happened for the old beta version.

@vperala, have you copied .azure from/to another computer? Could you share the detailed steps you followed to trigger this error? Thanks.

[rayluo]

Agree with @jiasli 's triage. By the way, a suggestion to @jiasli : you can convert this issue into a Q&A in Az CLI's Github Discussion, and then select your answer as "chosen answer". This way, it remains visible to future customers, therefore you can safely close those stale issues like #17186.

Or even better, either Az CLI or MSAL EX could perhaps catch that exception and convert it to something like RuntimeError: Unable to decrypt token cache. Did you copy token cache from another computer?

[vperala]

Hi Jiasli, My issue was resolved after deleting all the files and folders under C:\Users\.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now.

Command:

$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi

Thanks!!

[rayluo]

My issue was resolved after deleting all the files and folders under C:\Users.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now.

Congrats @vperala for recovering from the issue. Can you tell us more on the history of that C:\Users\username\.azure folder? Did you manually copy it from a different computer?

• If your answer is yes, then the error is expected (it is a security feature), although @jiasli and I may still consider some User eXperience (UX) improvement here.
• If your answer is no, then it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?), and then upgrading to Az CLI v2.30+ would attempt to decrypt that file and failed. This would become a migration faq, then.

[jiasli]

it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?)

The old ADAL-based Azure CLI saves tokens to ~/.azure/accessTokens.json, while the new MSAL-based Azure CLI saves tokens to ~/.azure/msal_token_cache.json or ~/.azure/msal_token_cache.bin (enrypted), so they work independently.

[lucianbalaban]

Hi @jiasli, I get the same error. Here are my repro steps:

• was working in version 2.31.0,
• upgraded using az upgrade to 2.32.0
• az login produced the error
• Uninstalled Azure CLI
• installed version 2.31.0 again, the eror persisted

full log is here:

The command failed with an unexpected error. Here is the traceback: [WinError -2146893813] : '' Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 658, in execute File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 692, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__ File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 149, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 171, in login_with_auth_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1546, in acquire_token_interactive File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 640, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 678, in _obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 732, in _obtain_token_by_authorization_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 789, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 581, in <lambda> File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 307, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 113, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 184, in __add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 67, in modify File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 58, in _reload_if_necessary File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/persistence.py", line 180, in load File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/windows.py", line 114, in unprotect OSError: [WinError -2146893813] : ''

[lucianbalaban]

Update:

I tried using the command with a different windows user account and it worked fine. So i deleted the C:\Users\<user>\.azure

And it works.

Maybe, upgrade comand should be updated to remove the conflictual configuration.

[jiasli]

@lucianbalaban, I don't think this is related to upgrade, as we didn't change any code for token encryption between 2.31.0 and 2.32.0.

[jiasli]

Questions

• Have you copied ~/.azure folder from another computer or mounted it into a container?
• Could you share the detailed steps you followed to trigger this error?

Workaround

First, you may try to clear the credential cache and re-login:

az account clear
az login

If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)

az config set core.encrypt_token_cache=false
az login

[lucianbalaban]

Hi, my error was solved by deleting the .azure folder. I cannot replicate it anymore.

If it happens again, I will try the az account clear

Thanks!

On Fri, Jan 7, 2022 at 8:40 AM Jiashuo Li @.***> wrote:

Workaround

First, you may try to clear the credential cache and re-login:

az account clear

az login

If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)

az config set core.encrypt_token_cache=false

az login

— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-cli/issues/20231#issuecomment-1007176901, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABLLTVRONZ7QBWPC7JJV6NLUU2DG5ANCNFSM5HPZWHLQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[jiasli]

@Christopher-Balnaves, "RuntimeError: 0. The ID token is not yet valid." is irrelevant to this issue.

[antonGritsenko]

I was able to catch this after local user password reset. Deletion of the .azure solve it.

[aleksandr-maksimov-stenn]

Got this error from terraform plan in SSH session. Full error: Error: obtaining Authorization Token from the Azure CLI: parsing json result from the Azure CL I: waiting for the Azure CLI: exit status 1: ERROR: Decryption failed: [WinError -2146893813] Ke y not valid for use in specified state.. App developer may consider this guidance: https://githu b.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError

[pabrams]

PS F:> (New-Object System.Net.WebClient).Proxy.Credentials = `

PS F:> az login az : WARNING: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code. At line:1 char:1

• az login

• 
  + CategoryInfo          : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException
  + FullyQualifiedErrorId : NativeCommandError

ERROR: The command failed with an unexpected error. Here is the traceback: ERROR: [WinError 0] : '' Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 658, in execute File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 721, in _run_jobs_serially File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 692, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 328, in call File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operat ion.py", line 121, in handler File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/cust om.py", line 139, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 171, in login_with_auth_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1546, in acquire_token_interactive File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 640, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 678, in _obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 732, in _obtain_token_by_authorization_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 789, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 581, in

File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 307, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 113, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 184, in __add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 67, in modify File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 58, in _reload_if_necessary File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/persistence.py", line 180, in load File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/windows.py", line 114, in unprotect OSError: [WinError 0] : '' To open an issue, please run: 'az feedback' PS F:\> $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi PS F:\> az account clear PS F:\> az login az : WARNING: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`. At line:1 char:1 + az login + ~~~~~~~~ + CategoryInfo : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ERROR: Decryption failed: [WinError 0] None. App developer may consider this guidance: h ttps://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/Persistenc eDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20278 PS F:\> az config set core.encrypt_token_cache=false az : WARNING: Command group 'config' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus At line:1 char:1 + az config set core.encrypt_token_cache=false + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (WARNING: Comman...s/CLI_refstatus:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError PS F:\> az login az : WARNING: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`. At line:1 char:1 + az login + ~~~~~~~~ + CategoryInfo : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ERROR: ('Cannot connect to proxy.', NewConnectionError(': Failed to establish a new connection: [Errno 11001] getaddrinfo failed')) PS F:\>

[samhodgkinson]

From a fresh machine installation of Windows 11, Azure CLI installed and upgraded by using chocolatey. The first login was after the upgrade, where I received the error within #22937. Once the C:\Users\.azure folder had been removed authentication worked.

[rdurell]

I ran in to the same issue today. I had a password change several days ago, needed to run an az command today which prompted me that the grant was no longer valid. Was able to az login again and work as expected. Several hours later, I started seeing this issue with any az command. I was able to move forward by deleting msal_token.cache.bin and msal_http_cache.bin and relogging in.

[jeiesel]

Hi Jiasli, My issue was resolved after deleting all the files and folders under C:\Users.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now.

Command:

$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi

Thanks!!

This solution worked for me properly with 'az cli v2.38.0' thanks!

[zahasoftware]

For me worked removing .azure folder: C:\users\.azure

Before it I've executed the command too: az upgrade

But removing folder just could works, The problem I think was when I used Az Cloud Shell and Powershell togheter

[jhursey]

I started getting the error in 2.36.0. Tried upgrading to 2.39.0 but continued to get the same error. Deleting the .Azure worked like a charm for me.

[thomasjsweet]

Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231

deleting the .Azure folder as mentioned above resolved it.

[lucadistefano]

Here same error:

 az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231

Deleting the folder .Azure in the home the issue is solved

az --version
azure-cli                         2.43.0

core                              2.43.0
telemetry                          1.0.8

Dependencies:
msal                              1.20.0
azure-mgmt-resource             21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\pb00018\.azure\cliextensions'

Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

[eohlde]

Also facing this issue after rotating the password for a Service Principal.

usage:

az login --service-principal -u $env:AZ_NAME -p $env:AZ_PWD --tenant $env:AZ_TENANT

Here is the error: Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError

azure-cli                         2.46.0

core                              2.46.0
telemetry                          1.0.8

Dependencies:
msal                              1.20.0
azure-mgmt-resource             21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\buildadmin\.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

deleting the 'msal_http_cache.bin', 'msal_token_cache.bin', 'service_principal_entries.bin' files fixed the problem.

[rayluo]

Also facing this issue after rotating the password for a Service Principal.

usage:

az login --service-principal -u $env:AZ_NAME -p $env:AZ_PWD --tenant $env:AZ_TENANT

@jiasli, unlike most other reports here, this report provided repro steps. Do you think that code path would alter the token cache file?

[jiasli]

Yes. az login --service-principal saves the service principal credential to service_principal_entries.bin and access tokens to msal_token_cache.bin.

[kierke-gaard]

After I changed my windows 11 password, I couldn't use my az cli anymore. For whatever command I'm getting: "Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError"

After deleting in the .azure folder msal_*.bin and relogging it works like a charm again

[rayluo]

After I changed my windows 11 password, I couldn't use my az cli anymore. For whatever command I'm getting: "Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError"

After deleting in the .azure folder msal_*.bin and relogging it works like a charm again

Token cache is protected by DPAPI, which seems to be affected by a password reset. @jiasli, do we consider adding this as a hint in our error message?

[andersnygaard]

Can confirm that deleting your C:\users.azure folder and reinstalling the Azure CLI solves the problem. No obvious explanation as to why this problem occurs in the first place.

[zachgalvin]

I ran into this as well on a Windows VM where I ran az login --tenant {tenant name} for the first time after reseting my password on the VM through the Azure portal (maybe that has the same affect of resetting the password from computer management which causes this issue?).

In addition to what kierke-gaard got, I got a message with a bit more info when I passed the "--debug" option:

msal_extensions.persistence.PersistenceDecryptionError: [Errno -2146893813] Decryption failed: [Errno -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError: 'C:\\Users\\myuser\\.azure\\msal_token_cache.bin

Based on that Github wiki in the error message, I figured that the file it printed at the end was the file it was having trouble with (and likely got corrupted with the password reset), so I moved that to my home directory, ran the "az login --tenant {tenant name}" command again, and everything worked! It looks like it regenerated that file with the new login.

[sbonds]

This happened after a routine password reset via AD sync. Lots of Windows internal credential caches were messed up. Based on some advice from Dell based on Windows TPM Error 80090016, I ended up moving the AAD BrokerPlugin directory out of the way and letting Windows repopulate it via a sizable number of manual logins. I suspect this contributed to the MSAL auth failures.

I tried selectively clearing bad login tokens by using "az logout" but this just showed the same error.

Finally, like so many others before me, I moved the .azure directory out of the way and logged back in, which worked.

[rayluo]

This happened after a routine password reset via AD sync. Lots of Windows internal credential caches were messed up. Based on some advice from Dell based on Windows TPM Error 80090016, I ended up moving the AAD BrokerPlugin directory out of the way and letting Windows repopulate it via a sizable number of manual logins. I suspect this contributed to the MSAL auth failures.

I tried selectively clearing bad login tokens by using "az logout" but this just showed the same error.

Finally, like so many others before me, I moved the .azure directory out of the way and logged back in, which worked.

The token cache file is encrypted on Windows. Presumably, the password reset also implicitly changes the encryption/decryption key, so, the entire token cache file is no longer usable. Individual "az logout" won't work in this case because it would still require a successful decryption (and then encryption) to the token cache file.

This would perhaps become an FAQ (if it hasn't already).

[jspraul]

I would agree that the issue is caused by DPAPI, which changes keys if passwords are reset by administrators.

If DPAPI doesn't have the key anymore az login will have to start over, it makes sense to just prompt before deleting the un-decryptable file(s) since 99% of the time it will never be decryptable again. Even az account clear fails with this error in this scenario, it seems like it should be able to truly start over.

[rayluo]

I would agree that the issue is caused by DPAPI, which changes keys if passwords are reset by administrators.

If DPAPI doesn't have the key anymore az login will have to start over, it makes sense to just prompt before deleting the un-decryptable file(s) since 99% of the time it will never be decryptable again. Even az account clear fails with this error in this scenario, it seems like it should be able to truly start over.

I'll leave it to this issue's assignee (@jiasli) to decide whether Azure CLI's az account clear shall remove the token file without attempting to decrypt it.

[fultonm]

I am getting this error on a transient basis. I have a python script so the VM can deallocate itself under some condition, and my logs show this error prevented that from happening. It failed many times consecutively throughout the night as the condition was met, but as soon as I tried the commands in a new Powershell window, they worked.

I did not decrypt, clear anything, or do anything that would mitigate the issue other opening a new powershell window. I manually ran the az login and deallocate command, using the exact same parameters and service principal *.pem file, it worked fine.

Logs for az login when run by the script:

CMD-LOG-LINE-BEGIN 4680 | 2023-04-16 15:49:06,674 | INFO | az_command_data_logger | command args: login --service-principal --username {} --tenant {} --password {}
CMD-LOG-LINE-BEGIN 4680 | 2023-04-16 15:49:07,752 | ERROR | az_command_data_logger | Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
CMD-LOG-LINE-BEGIN 4680 | 2023-04-16 15:49:07,752 | INFO | az_command_data_logger | exit code: 1

Logs for az login when run in new powershell window (works):

CMD-LOG-LINE-BEGIN 5360 | 2023-04-16 16:02:47,194 | INFO | az_command_data_logger | command args: login --service-principal --username {} --tenant {} --password {}
CMD-LOG-LINE-BEGIN 5360 | 2023-04-16 16:02:48,774 | INFO | az_command_data_logger | exit code: 0

This is on a new installation; I have not upgraded Azure CLI or moved any /.azure folder on this VM since it was first created.

Azure CLI 2.47.0 on Windows Server 2019 Datacenter

[rayluo]

a python script so the VM can deallocate itself under some condition, and my logs show this error prevented that from happening. It failed many times consecutively throughout the night as the condition was met, but as soon as I tried the commands in a new Powershell window, they worked.

Was your script running without a user logs in? On some other platforms, the token encryption/description does not work without an active user login session. This may or may not be the case on Windows, though.

[pabrams]

You need to reticulate your splines.

[fultonm]

Probably. Yes it was running as an account that didn't necessarily log in and I didn't think that should be a requirement? I switched to Linux to solve this problem :)

[reismade]

I had the same issue with az version 2.49.0. I'm running Windows 10. I did not change my password in the past few weeks, and I never used the azure client on this computer. This is a company device, and I also didn't use the azure client on my previous ones. Until now, I connected to a jumphost via ssh that had the azure cli installed, but now I can't because our infra department changed their MFA policy, and I can only use azure cli on the same computer on which I opened the browser and logged in. I deleted the .azure folder and reinstalled azure cli. az account clear produced the same error. Nothing helped, except for

az config set core.encrypt_token_cache=false

Now it works. But it keeps me wondering what else is broken or will be in the future. It's an "experimental feature" anyway.

Microsoft, why can't we have nice tools? Or proper error messages? Or our problems taken care of?

[pabrams]

set core.encrypt _token_cache=false is always the answer. Every time it happens to me or anyone i know, anyway

[skironDotNet]

az login

A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.

It did open in the browser all ok, and got this in the console

Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError

[skironDotNet]

The solution was to delete files in $HOME/.azure

[Krishnapapineni]

clibot unresolve the issue

[jiasli]

23828 relies on msal_token_cache.bin to retrieve MSAL accounts and log out from WAM:

https://github.com/Azure/azure-cli/blob/b00483c1a1cd17053af5c483f62b11c829f4c27d/src/azure-cli-core/azure/cli/core/auth/identity.py#L208-L216

If msal_token_cache.bin can't be accessed, even az account clear will fail with OSError: [WinError -2146893813]. We have to manually delete ~/.azure/msal_token_cache.bin, but this will leave those accounts still in WAM.

@rayluo, I think we do need a way to log out of WAM even when msal_token_cache.bin is broken/lost/cannot be accessed.

[rayluo]

23828 relies on msal_token_cache.bin to retrieve MSAL accounts and log out from WAM:

https://github.com/Azure/azure-cli/blob/b00483c1a1cd17053af5c483f62b11c829f4c27d/src/azure-cli-core/azure/cli/core/auth/identity.py#L208-L216

If msal_token_cache.bin can't be accessed, even az account clear will fail with OSError: [WinError -2146893813]. We have to manually delete ~/.azure/msal_token_cache.bin, but this will leave those accounts still in WAM.

@rayluo, I think we do need a way to log out of WAM even when msal_token_cache.bin is broken/lost/cannot be accessed.

How about MSAL Python switch its internal order to remove the WAM accounts first, and then attempt removing accounts from msal_token_cache.bin? That way, you will still see the same exception, but at least the WAM account would have been purged.

[khroolick]

Had to change machine, fresh Windows installation. User data moved from previous machine. installed Azure Command-Line Interface invoked az login received:

A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231

so I'm reporting here as you wished!

Expected behavior: login successful (your app should cleanup/recreate any caches automatically and just work like any other application I'm installing now)

[rayluo]

Had to change machine, fresh Windows installation. User data moved from previous machine. installed Azure Command-Line Interface

I believe the Azure CLI attempts to reuse the user data that you copied from your previous machine. Those data was encrypted on your old machine and no longer decryptable on a new machine. The error would be expected in such a case. Just think it as someone else copying your user data won't be able to steal your tokens.

Just delete the C:\Users\<user>\.azure and start new login afresh.

[jayeshpatel6]

Az login failing with:

az login A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code. Decryption failed: [WinError -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231

[missymessa]

This error is also occurring for me in two different Azure DevOps pipelines.

[vhvb1989]

Gettings this from Azure DevOps (windows) using pwsh task

steps:
  - pwsh: |
      az login `
        --service-principal `
        -u "$($ApplicationId)" `
        -p "$($ApplicationSecret)" `
        --tenant "$($TenantId)"

error:

ERROR: Decryption failed: [WinError -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231

[noahpauls-msft]

Also seeing this issue in ADO pipelines when attempting to deploy ARM templates using AzureResourceManagerTemplateDeployment (3.240.0)