`az login` fails: OSError: [WinError -2146892987]

[jiasli]

Describe the bug

When running Azure CLI on Microsoft.AzureStackHCI/clusters, az login fails:

> az login --use-device-code
az : WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code xxx to authenticate.
    + CategoryInfo          : NotSpecified: (WARNING: To sig...o authenticate.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: [WinError -2146892987] : ''
Traceback (most recent call last):
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\knack/cli.py', line 231, in invoke
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/commands/__init__.py', line 658, in execute
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/commands/__init__.py', line 721, in _run_jobs_serially
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/commands/__init__.py', line 692, in _run_job
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/commands/__init__.py', line 328, in __call__
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/commands/command_operation.py', line 121, in handler
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/command_modules/profile/custom.py', line 149, in login
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/_profile.py', line 153, in login
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/auth/identity.py', line 158, in login_with_device_code
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/application.py', line 1608, in acquire_token_by_device_flow
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/oauth2cli/oauth2.py', line 384, in obtain_token_by_device_flow
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/oauth2cli/oauth2.py', line 346, in _obtain_token_by_device_flow
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/oauth2cli/oidc.py', line 115, in _obtain_token
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/oauth2cli/oauth2.py', line 789, in _obtain_token
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/application.py', line 581, in lambda
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/token_cache.py', line 307, in add
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/token_cache.py', line 113, in add
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal/token_cache.py', line 184, in __add
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal_extensions/token_cache.py', line 49, in modify
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal_extensions/persistence.py', line 163, in save
  File 'D:\\a\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\msal_extensions/windows.py', line 82, in protect
OSError: [WinError -2146892987] : ''
To open an issue, please run: 'az feedback'

Email: AKS on HCI | az login failing with unexpected error, probably known issue

[jiasli]

The workaround is to turn off token encryption: https://github.com/Azure/azure-cli/issues/20231#issuecomment-1007176901

[rayluo]

To be honest, the DPAPI failure is not actionable for MSAL. I believe @bgavrilms also observed similar issues on MSAL .Net too. Is there a contact for DPAPI to report these issues to?

[bgavrilMS]

Yes, indeed, after many struggles with token encryption on both Windows and Mac (for Linux we always knew there is a problem), we decided to allow apps to store tokens in plaintext as a fallback. We recommend that the app makes it very clear to the user that tokens are stored in plaintext.

[bgavrilMS]

By the way, that error code means:

The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation

(on corpnet, you can go to http://errors to understand windows errors).

This is pretty standard error in some cases of virtualization, see here. Although there are workarounds, these seem to be "too complex" for most orgs (complex admin policies etc.)

[rayluo]

By the way, that error code means:

The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation

(on corpnet, you can go to http://errors to understand windows errors).

This is pretty standard error in some cases of virtualization, see here. Although there are workarounds, these seem to be "too complex" for most orgs (complex admin policies etc.)

Thanks for the details, Bogdan! I am inspired to work out this PR in MSAL EX to hopefully help Azure CLI and/or its users to troubleshoot.

[jiasli]

Workaround

First, you may try to clear the credential cache and re-login:

az account clear
az login

If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)

az config set core.encrypt_token_cache=false
az login

[DrChat]

Just dropping in - we have an AzureCLI@2 task on ADO intermittently failing with the following output:

##[error]Error Code: [1]
##[error]Error: Azure login failed
##[error]Script failed with error: ERROR: Encryption failed: [WinError -2146892987] The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. See also https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation. Consider disable encryption.
Please report to us via Github: https://github.com/Azure/azure-cli/issues/21010

We're on our own semi-customized pool (based on windows-latest from upstream). Note that rerunning a failed job has always succeeded for us (without changing anything). Ping me for more details on Teams if you need them :)

[rayluo]

Just dropping in - we have an AzureCLI@2 task on ADO intermittently failing with the following output:

##[error]Error Code: [1]
##[error]Error: Azure login failed
##[error]Script failed with error: ERROR: Encryption failed: [WinError -2146892987] The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. See also https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation. Consider disable encryption.
Please report to us via Github: https://github.com/Azure/azure-cli/issues/21010

We're on our own semi-customized pool (based on windows-latest from upstream). Note that rerunning a failed job has always succeeded for us (without changing anything). Ping me for more details on Teams if you need them :)

(I'm thinking out loud...) @jiasli , do you know whether the "AzureCLI@2 task on ADO" is expected to support DPAPI/encryption? If not, can we somehow disable it in that task?

[himanshukgit]

It's resolved by refering https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli look into remove data section, remove .bin file, after and before delete az cli and install latest one 2.42.0

[lorenzmeyer77]

I try to run an "az login" through an ansible playbook. Therefore I installed on my windows server the azure-cli 2.29.2. The connection from ansible to windows is done through SSH. The ansible task looks as follows:

• name: Login to azure win_shell: > az login --service-principal --username myuser --password mypassword --tenant mytenant

With azure-cli version 2.29.2 this worked.

I now installed azure-cli version 2.42.0 on my windows server and the ansible task now fails with this error:

_FAILED! => {"changed": true, "cmd": "az login --service-principal --username myuser --password mypassword --tenant mytenant", "delta": "0:00:07.533507", "end": "2022-11-15 09:13:59.947535", "msg": "non-zero return code", "rc": 1, "start": "2022-11-15 09:13:52.414027", "stderr": "ERROR: Decryption failed: [WinError -2146892987] The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. See also https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError\r\nPlease report to us via Github: https://github.com/Azure/azure-cli/issues/21010", "stderr_lines": ["ERROR: Decryption failed: [WinError -2146892987] The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. See also https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError", "Please report to us via Github: https://github.com/Azure/azure-cli/issues/21010"], "stdout": "", "stdoutlines": []}

Is there a way to solve this without adding everywhere a privilege escalation (ansible becom) where I call a win_shell command or powershell script (ps1)??

[rayluo]

I try to run an "az login" through an ansible playbook. Therefore I installed on my windows server the azure-cli 2.29.2. The connection from ansible to windows is done through SSH. The ansible task looks as follows:

... ERROR: Decryption failed: [WinError -2146892987] The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. See also https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation....

Is there a way to solve this without adding everywhere a privilege escalation (ansible becom) where I call a win_shell command or powershell script (ps1)??

Does this earlier workaround not work for you?

[lorenzmeyer77]

@rayluo The workaround with encrypt_token_cache=false would work... az config set core.encrypt_token_cache=false

But this configuration is not even mentioned on https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration. An @jiasli wrote: ⚠ This is an internal experimental config option. We may change it or drop it anytime.)

This breaking change came with the version 2.30.0 from azure-cli: https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli#november-02-2021. There are some alternatives mentioned in https://learn.microsoft.com/en-us/cli/azure/msal-based-azure-cli but I need to login first to get an access-token and the login fails. I'm not using an interactive session, it's all done through ansible playbooks.

And I have no idea how evil the deactivation of the cached token is.

[rayluo]

I'm not using an interactive session, it's all done through ansible playbooks.

@jiasli, those automation environment might not satisfy that implicit requirement. What if we change Azure CLI to automatically set encrypt_token_cache=false (and perhaps even persist it) upon encountering an encryption/decryption failure?

[wonderbird]

It's resolved by refering https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli look into remove data section, remove .bin file, after and before delete az cli and install latest one 2.42.0

Thanks @himanshukgit for sharing this.

For me it was sufficient to delete C:\Users\<username>\.azure\msal_token_cache.bin as described. Re-installing azure-cli was not necessary. I was on latest already.