Open vperala opened 2 years ago
This is the parent issue of "WinError -2146893813"
+ MSAL developer @rayluo
Same as https://github.com/Azure/azure-cli/issues/17186 happened for the old beta version.
@vperala, have you copied .azure
from/to another computer? Could you share the detailed steps you followed to trigger this error? Thanks.
Agree with @jiasli 's triage. By the way, a suggestion to @jiasli : you can convert this issue into a Q&A in Az CLI's Github Discussion, and then select your answer as "chosen answer". This way, it remains visible to future customers, therefore you can safely close those stale issues like #17186.
Or even better, either Az CLI or MSAL EX could perhaps catch that exception and convert it to something like RuntimeError: Unable to decrypt token cache. Did you copy token cache from another computer?
Hi Jiasli,
My issue was resolved after deleting all the files and folders under C:\Users\
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
Thanks!!
My issue was resolved after deleting all the files and folders under C:\Users
.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now.
Congrats @vperala for recovering from the issue. Can you tell us more on the history of that C:\Users\username\.azure
folder? Did you manually copy it from a different computer?
it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?)
The old ADAL-based Azure CLI saves tokens to ~/.azure/accessTokens.json
, while the new MSAL-based Azure CLI saves tokens to ~/.azure/msal_token_cache.json
or ~/.azure/msal_token_cache.bin
(enrypted), so they work independently.
Hi @jiasli, I get the same error. Here are my repro steps:
az upgrade
to 2.32.0 az login
produced the errorfull log is here:
The command failed with an unexpected error. Here is the traceback: [WinError -2146893813] : '' Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 658, in execute File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 692, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__ File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 149, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 171, in login_with_auth_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1546, in acquire_token_interactive File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 640, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 678, in _obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 732, in _obtain_token_by_authorization_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 789, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 581, in <lambda> File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 307, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 113, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 184, in __add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 67, in modify File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 58, in _reload_if_necessary File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/persistence.py", line 180, in load File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/windows.py", line 114, in unprotect OSError: [WinError -2146893813] : ''
Update:
I tried using the command with a different windows user account and it worked fine.
So i deleted the C:\Users\<user>\.azure
And it works.
Maybe, upgrade comand should be updated to remove the conflictual configuration.
@lucianbalaban, I don't think this is related to upgrade, as we didn't change any code for token encryption between 2.31.0 and 2.32.0.
~/.azure
folder from another computer or mounted it into a container?First, you may try to clear the credential cache and re-login:
az account clear
az login
If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)
az config set core.encrypt_token_cache=false
az login
Hi, my error was solved by deleting the .azure folder. I cannot replicate it anymore.
If it happens again, I will try the az account clear
Thanks!
On Fri, Jan 7, 2022 at 8:40 AM Jiashuo Li @.***> wrote:
Workaround
First, you may try to clear the credential cache and re-login:
az account clear
az login
If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)
az config set core.encrypt_token_cache=false
az login
— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-cli/issues/20231#issuecomment-1007176901, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABLLTVRONZ7QBWPC7JJV6NLUU2DG5ANCNFSM5HPZWHLQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
@Christopher-Balnaves, "RuntimeError: 0. The ID token is not yet valid." is irrelevant to this issue.
I was able to catch this after local user password reset. Deletion of the .azure solve it.
Got this error from terraform plan in SSH session.
Full error:
Error: obtaining Authorization Token from the Azure CLI: parsing json result from the Azure CL I: waiting for the Azure CLI: exit status 1: ERROR: Decryption failed: [WinError -2146893813] Ke y not valid for use in specified state.. App developer may consider this guidance: https://githu b.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
PS F:> (New-Object System.Net.WebClient).Proxy.Credentials = `
PS F:> az login
az : WARNING: A web browser has been opened at
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web
browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code
.
At line:1 char:1
+ CategoryInfo : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
ERROR: The command failed with an unexpected error. Here is the traceback: ERROR: [WinError 0] : '' Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 658, in execute File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 721, in _run_jobs_serially File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 692, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 328, in call File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operat ion.py", line 121, in handler File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/cust om.py", line 139, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 171, in login_with_auth_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1546, in acquire_token_interactive File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 640, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 678, in _obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 732, in _obtain_token_by_authorization_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 789, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 581, in
From a fresh machine installation of Windows 11, Azure CLI installed and upgraded by using chocolatey. The first login was after the upgrade, where I received the error within #22937. Once the C:\Users\
I ran in to the same issue today. I had a password change several days ago, needed to run an az command today which prompted me that the grant was no longer valid. Was able to az login again and work as expected. Several hours later, I started seeing this issue with any az command. I was able to move forward by deleting msal_token.cache.bin and msal_http_cache.bin and relogging in.
Hi Jiasli, My issue was resolved after deleting all the files and folders under C:\Users
.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now. Command:
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
Thanks!!
This solution worked for me properly with 'az cli v2.38.0' thanks!
For me worked removing .azure folder:
C:\users\
Before it I've executed the command too: az upgrade
But removing folder just could works, The problem I think was when I used Az Cloud Shell and Powershell togheter
I started getting the error in 2.36.0. Tried upgrading to 2.39.0 but continued to get the same error. Deleting the .Azure
worked like a charm for me.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
deleting the .Azure folder as mentioned above resolved it.
Here same error:
az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
Deleting the folder .Azure in the home the issue is solved
az --version
azure-cli 2.43.0
core 2.43.0
telemetry 1.0.8
Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\pb00018\.azure\cliextensions'
Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Also facing this issue after rotating the password for a Service Principal.
usage:
az login --service-principal -u $env:AZ_NAME -p $env:AZ_PWD --tenant $env:AZ_TENANT
Here is the error:
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
azure-cli 2.46.0
core 2.46.0
telemetry 1.0.8
Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\buildadmin\.azure\cliextensions'
Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
deleting the 'msal_http_cache.bin', 'msal_token_cache.bin', 'service_principal_entries.bin' files fixed the problem.
Also facing this issue after rotating the password for a Service Principal.
usage:
az login --service-principal -u $env:AZ_NAME -p $env:AZ_PWD --tenant $env:AZ_TENANT
@jiasli, unlike most other reports here, this report provided repro steps. Do you think that code path would alter the token cache file?
Yes. az login --service-principal
saves the service principal credential to service_principal_entries.bin
and access tokens to msal_token_cache.bin
.
After I changed my windows 11 password, I couldn't use my az cli anymore. For whatever command I'm getting: "Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError"
After deleting in the .azure folder msal_*.bin and relogging it works like a charm again
After I changed my windows 11 password, I couldn't use my az cli anymore. For whatever command I'm getting: "Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError"
After deleting in the .azure folder msal_*.bin and relogging it works like a charm again
Token cache is protected by DPAPI, which seems to be affected by a password reset. @jiasli, do we consider adding this as a hint in our error message?
Can confirm that deleting your C:\users
I ran into this as well on a Windows VM where I ran az login --tenant {tenant name} for the first time after reseting my password on the VM through the Azure portal (maybe that has the same affect of resetting the password from computer management which causes this issue?).
In addition to what kierke-gaard got, I got a message with a bit more info when I passed the "--debug" option:
msal_extensions.persistence.PersistenceDecryptionError: [Errno -2146893813] Decryption failed: [Errno -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError: 'C:\\Users\\myuser\\.azure\\msal_token_cache.bin
Based on that Github wiki in the error message, I figured that the file it printed at the end was the file it was having trouble with (and likely got corrupted with the password reset), so I moved that to my home directory, ran the "az login --tenant {tenant name}" command again, and everything worked! It looks like it regenerated that file with the new login.
This happened after a routine password reset via AD sync. Lots of Windows internal credential caches were messed up. Based on some advice from Dell based on Windows TPM Error 80090016, I ended up moving the AAD BrokerPlugin directory out of the way and letting Windows repopulate it via a sizable number of manual logins. I suspect this contributed to the MSAL auth failures.
I tried selectively clearing bad login tokens by using "az logout" but this just showed the same error.
Finally, like so many others before me, I moved the .azure
directory out of the way and logged back in, which worked.
This happened after a routine password reset via AD sync. Lots of Windows internal credential caches were messed up. Based on some advice from Dell based on Windows TPM Error 80090016, I ended up moving the AAD BrokerPlugin directory out of the way and letting Windows repopulate it via a sizable number of manual logins. I suspect this contributed to the MSAL auth failures.
I tried selectively clearing bad login tokens by using "az logout" but this just showed the same error.
Finally, like so many others before me, I moved the
.azure
directory out of the way and logged back in, which worked.
The token cache file is encrypted on Windows. Presumably, the password reset also implicitly changes the encryption/decryption key, so, the entire token cache file is no longer usable. Individual "az logout" won't work in this case because it would still require a successful decryption (and then encryption) to the token cache file.
This would perhaps become an FAQ (if it hasn't already).
I would agree that the issue is caused by DPAPI, which changes keys if passwords are reset by administrators.
If DPAPI doesn't have the key anymore az login
will have to start over, it makes sense to just prompt before deleting the un-decryptable file(s) since 99% of the time it will never be decryptable again. Even az account clear
fails with this error in this scenario, it seems like it should be able to truly start over.
I would agree that the issue is caused by DPAPI, which changes keys if passwords are reset by administrators.
If DPAPI doesn't have the key anymore
az login
will have to start over, it makes sense to just prompt before deleting the un-decryptable file(s) since 99% of the time it will never be decryptable again. Evenaz account clear
fails with this error in this scenario, it seems like it should be able to truly start over.
I'll leave it to this issue's assignee (@jiasli) to decide whether Azure CLI's az account clear
shall remove the token file without attempting to decrypt it.
I am getting this error on a transient basis. I have a python script so the VM can deallocate itself under some condition, and my logs show this error prevented that from happening. It failed many times consecutively throughout the night as the condition was met, but as soon as I tried the commands in a new Powershell window, they worked.
I did not decrypt, clear anything, or do anything that would mitigate the issue other opening a new powershell window. I manually ran the az login
and deallocate command, using the exact same parameters and service principal *.pem file, it worked fine.
Logs for az login when run by the script:
CMD-LOG-LINE-BEGIN 4680 | 2023-04-16 15:49:06,674 | INFO | az_command_data_logger | command args: login --service-principal --username {} --tenant {} --password {}
CMD-LOG-LINE-BEGIN 4680 | 2023-04-16 15:49:07,752 | ERROR | az_command_data_logger | Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
CMD-LOG-LINE-BEGIN 4680 | 2023-04-16 15:49:07,752 | INFO | az_command_data_logger | exit code: 1
Logs for az login when run in new powershell window (works):
CMD-LOG-LINE-BEGIN 5360 | 2023-04-16 16:02:47,194 | INFO | az_command_data_logger | command args: login --service-principal --username {} --tenant {} --password {}
CMD-LOG-LINE-BEGIN 5360 | 2023-04-16 16:02:48,774 | INFO | az_command_data_logger | exit code: 0
This is on a new installation; I have not upgraded Azure CLI or moved any
Azure CLI 2.47.0 on Windows Server 2019 Datacenter
a python script so the VM can deallocate itself under some condition, and my logs show this error prevented that from happening. It failed many times consecutively throughout the night as the condition was met, but as soon as I tried the commands in a new Powershell window, they worked.
Was your script running without a user logs in? On some other platforms, the token encryption/description does not work without an active user login session. This may or may not be the case on Windows, though.
You need to reticulate your splines.
Probably. Yes it was running as an account that didn't necessarily log in and I didn't think that should be a requirement? I switched to Linux to solve this problem :)
I had the same issue with az version 2.49.0. I'm running Windows 10. I did not change my password in the past few weeks, and I never used the azure client on this computer. This is a company device, and I also didn't use the azure client on my previous ones. Until now, I connected to a jumphost via ssh that had the azure cli installed, but now I can't because our infra department changed their MFA policy, and I can only use azure cli on the same computer on which I opened the browser and logged in. I deleted the .azure folder and reinstalled azure cli. az account clear produced the same error. Nothing helped, except for
az config set core.encrypt_token_cache=false
Now it works. But it keeps me wondering what else is broken or will be in the future. It's an "experimental feature" anyway.
Microsoft, why can't we have nice tools? Or proper error messages? Or our problems taken care of?
set core.encrypt _token_cache=false is always the answer. Every time it happens to me or anyone i know, anyway
az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with
az login --use-device-code
.
It did open in the browser all ok, and got this in the console
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
The solution was to delete files in $HOME/.azure
clibot unresolve the issue
msal_token_cache.bin
to retrieve MSAL accounts and log out from WAM:If msal_token_cache.bin
can't be accessed, even az account clear
will fail with OSError: [WinError -2146893813]
. We have to manually delete ~/.azure/msal_token_cache.bin
, but this will leave those accounts still in WAM.
@rayluo, I think we do need a way to log out of WAM even when msal_token_cache.bin
is broken/lost/cannot be accessed.
23828 relies on
msal_token_cache.bin
to retrieve MSAL accounts and log out from WAM:If
msal_token_cache.bin
can't be accessed, evenaz account clear
will fail withOSError: [WinError -2146893813]
. We have to manually delete~/.azure/msal_token_cache.bin
, but this will leave those accounts still in WAM.@rayluo, I think we do need a way to log out of WAM even when
msal_token_cache.bin
is broken/lost/cannot be accessed.
How about MSAL Python switch its internal order to remove the WAM accounts first, and then attempt removing accounts from msal_token_cache.bin
? That way, you will still see the same exception, but at least the WAM account would have been purged.
Had to change machine, fresh Windows installation. User data moved from previous machine.
installed Azure Command-Line Interface
invoked az login
received:
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
so I'm reporting here as you wished!
Expected behavior: login successful (your app should cleanup/recreate any caches automatically and just work like any other application I'm installing now)
Had to change machine, fresh Windows installation. User data moved from previous machine. installed Azure Command-Line Interface
I believe the Azure CLI attempts to reuse the user data that you copied from your previous machine. Those data was encrypted on your old machine and no longer decryptable on a new machine. The error would be expected in such a case. Just think it as someone else copying your user data won't be able to steal your tokens.
Just delete the C:\Users\<user>\.azure
and start new login afresh.
Az login failing with:
az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code
.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
This error is also occurring for me in two different Azure DevOps pipelines.
Gettings this from Azure DevOps (windows) using pwsh task
steps:
- pwsh: |
az login `
--service-principal `
-u "$($ApplicationId)" `
-p "$($ApplicationSecret)" `
--tenant "$($TenantId)"
error:
ERROR: Decryption failed: [WinError -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
Also seeing this issue in ADO pipelines when attempting to deploy ARM templates using AzureResourceManagerTemplateDeployment (3.240.0)
This is autogenerated. Please review and update as needed.
Describe the bug
Command Name
az login
Errors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az login
Expected Behavior
Environment Summary
Additional Context