Open msft-jasonparker opened 3 years ago
APIWT
commented
3 years ago Thank god, I thought I was the only one. For what it is worth, this is happening on Mac for me. I deleted all the Microsoft.Developer.IdentityService related items from my keychain but still no luck.
msft-jasonparker
commented
3 years ago We were able to confirm that the AzureAD module works using Connect-AzureAD, however, Connect-AzAccount fails everytime. We are investigating the CAPI2 logs without much luck.
APIWT
commented
3 years ago @msft-jasonparker Thanks for the update. Does it help to let you know that the device code flow does not work either?
msft-jasonparker
commented
3 years ago Correct, -DeviceCode fails for me also
msft-jasonparker
commented
3 years ago @APIWT - Can you check your Intermediate CA Store and verify this certificate is not expired:
Microsoft Code Signing PCA 2011 Thumbprint: F252E794FE438E35ACE6E53762C0A234A2C52135
APIWT
commented
3 years ago @msft-jasonparker I would be happy to, I just don't know how. If you can guide me in the right direction I can try ASAP
erich-wang
commented
3 years ago Thanks for reporting the issue. @msft-jasonparker, could you please check if %USERPROFILE%\AppData\Local\.IdentityService\msal.cache exists? If yes, probably the file is damaged, please make one copy of this file (we may need your help for further investigation), then delete the original file and restart powershell to try again; if no, probably it is permission issue.
Add @bgavrilMS to comment for the error if having any:
Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Inspect inner exception for details ---> System.Security.Cryptography.CryptographicException: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
APIWT
commented
3 years ago @erich-wang We deleted both msal.cache and wiped the keychain with no luck. Also tried sudo.
bgavrilMS
commented
3 years ago We are using DP-API to encrypt the tokens at rest on Windows. DP-API requires a user session. Are you connected to the box remotely somehow?
APIWT
commented
3 years ago @bgavrilMS Just a quick reminder, we are on Mac and we are also affected by this issue.
bgavrilMS
commented
3 years ago @APIWT - are you using the Mac to remotely connect to a Windows box? Is there a Windows machine anywhere involved? The reason I'm asking is that the exception in the strack trace is in a code path that should only execute on Windows.
APIWT
commented
3 years ago @bgavrilMS I don't believe so. Here is a stack trace from Mac if that helps:
PS /Users/anthonyiacono> Connect-AzAccount -Debug
DEBUG: 12:15:50 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
Confirm
Are you sure you want to perform this action?
Performing the operation "log in" on target "User account in environment 'AzureCloud'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
DEBUG: 12:15:52 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 12:15:52 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 12:15:52 PM - Using Autosave scope 'CurrentUser'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException (0x80131500): Persistence check failed. Inspect inner exception for details
---> System.Exception (0x80131500): SecKeychainFindGenericPassword failed with error code: -25293
WARNING: Unable to acquire token for tenant 'organizations'
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
WARNING: Please run 'Connect-AzAccount -DeviceCode' if browser is not supported in this session.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
DEBUG: Azure.Identity.AuthenticationFailedException: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Inspect inner exception for details
---> System.Exception: SecKeychainFindGenericPassword failed with error code: -25293
at Microsoft.Identity.Client.Extensions.Msal.MacKeyChain.WriteKey(String serviceName, String accountName, Byte[] value)
at Microsoft.Identity.Client.Extensions.Msal.MacKeychainAccessor.Write(Byte[] data)
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
--- End of inner exception stack trace ---
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence()
at Azure.Identity.PersistentTokenCache.GetCacheHelperAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.PersistentTokenCache.RegisterCache(Boolean async, ITokenCache tokenCache, CancellationToken cancellationToken)
at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalPublicClient.AcquireTokenInteractiveAsync(String[] scopes, Prompt prompt, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.GetTokenViaBrowserLoginAsync(String[] scopes, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass106_1.<ExecuteCmdlet>b__3()
at System.Threading.Tasks.Task`1.InnerInvoke()
at System.Threading.Tasks.Task.<>c.<.cctor>b__274_0(Object obj)
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass106_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
Connect-AzAccount: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
DEBUG: AzureQoSEvent: CommandName - Connect-AzAccount; IsSuccess - False; Duration - 00:00:06.0839864;; Exception - Azure.Identity.AuthenticationFailedException: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Inspect inner exception for details
---> System.Exception: SecKeychainFindGenericPassword failed with error code: -25293
at Microsoft.Identity.Client.Extensions.Msal.MacKeyChain.WriteKey(String serviceName, String accountName, Byte[] value)
at Microsoft.Identity.Client.Extensions.Msal.MacKeychainAccessor.Write(Byte[] data)
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
--- End of inner exception stack trace ---
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence()
at Azure.Identity.PersistentTokenCache.GetCacheHelperAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.PersistentTokenCache.RegisterCache(Boolean async, ITokenCache tokenCache, CancellationToken cancellationToken)
at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalPublicClient.AcquireTokenInteractiveAsync(String[] scopes, Prompt prompt, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.GetTokenViaBrowserLoginAsync(String[] scopes, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass106_1.<ExecuteCmdlet>b__3()
at System.Threading.Tasks.Task`1.InnerInvoke()
at System.Threading.Tasks.Task.<>c.<.cctor>b__274_0(Object obj)
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass106_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass112_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client)
at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 12:15:57 PM - ConnectAzureRmAccountCommand end processing.@APIWT - that is a different exception, I suggest you log a separate bug.
APIWT
commented
3 years ago I can do that, but they seem highly related even with slightly different stack traces.
bgavrilMS
commented
3 years ago The exception in your case is pointing to a KeyChain access error with code 25293. KeyChain is the Mac credential manager.
The original exception points to a DPAPI exception. DPAPI is a Windows encryption mechanism.
The stack trace is mostly similar because the library that is responsible for encrypting creds uses one mechanism on Win and a different mechanism on Mac.
As a workaround for you, can you try to delete the entry from KeyChain related to PowerShell ? (@erich-wang - where do you folks store it exactly?)
msft-jasonparker
commented
3 years ago @bgavrilMS @erich-wang
Our repro is from a Windows 10 multi-session VM in Azure WVD.
User checked the directory and the file did not exist and the user is not blocked from permissions.
bgavrilMS
commented
3 years ago DPAPI requires the user profile to be loaded. This article (the second half) describes similar problems and provides some workarounds, could you please try them out?
rdalkire
commented
3 years ago Thanks @bgavrilMS for that helpful tip about the user profile having to be loaded. But what do you mean by "This article"? I'm not seeing any link
msft-jasonparker
commented
3 years ago DPAPI requires the user profile to be loaded. This article (the second half) describes similar problems and provides some workarounds, could you please try them out?
@bgavrilMS which article are you referring to? In our specific situation, the user profile is fully loaded.
christiandyck
commented
3 years ago DPAPI issues sometimes occurs when an Read Write Domain Controller is not accessible. A workaround and more explanation can be found in the Microsoft Article DPAPI MasterKey backup failures when RWDC isn't available
vijaykunapareddy
commented
3 years ago I am facing the same issue in my Mac, did anyone got solution for this authentication issue?
sedykes95
commented
3 years ago I ran into this issue and, after alot of frustration, was able to solve it by down grading the Az.Accounts package to version 1.6.1. It had upgraded to version 2.2.8 which seems to be broken.
Jonas181100
commented
3 years ago I ran into this issue and, after alot of frustration, was able to solve it by down grading the Az.Accounts package to version 1.6.1. It had upgraded to version 2.2.8 which seems to be broken.
Same here. Solved downgrading it aswell. Had to uninstall the 2.2.8 version a few times, since for some reason it kept installing..
casperhartfrae
commented
3 years ago Also commented on https://github.com/Azure/azure-powershell/issues/14861: I have a similar issue with Powershell 5.1, Az module version 2.28, on windows 10 whether running as either administrator or user.
The only way I've managed to get it to work is by using Powershell ISE. From ISE a login screen pops up when the command is executed and I can authenticate without issue. From the standard Powershell console (same version, 5.1) I get:
❯ Connect-AzAccount -TenantId $tenant
WARNING: Please run 'Connect-AzAccount -DeviceCode' if browser is not supported in this session.
Connect-AzAccount : InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for
details
At line:1 char:1
+ Connect-AzAccount -TenantId $tenant
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Connect-AzAccount], AuthenticationFailedException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommandThe -DeviceCode or -UseDeviceAuthentication flags don't work either. Only ISE has worked, and it took me a long time to figure that one out. This started happening a couple of weeks ago, and was working fine prior to that.
Atavuli
commented
3 years ago I have started experiencing the issue on 4/26. I was working properly before that point in time with the same version of all modules AzAccounts 2.2.6, since upgraded to 2.2.8 to no avail. If I:
However, the next time I load up Powershell command I receive the error once again, and have to repeat the aforementioned steps again.
I am including debug output to help diagnose the issue...
PS C:\WINDOWS\system32> Connect-AzAccount -Debug
DEBUG: 10:15:43 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
Confirm
Are you sure you want to perform this action?
Performing the operation "log in" on target "User account in environment 'AzureCloud'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
DEBUG: 10:15:44 AM - Autosave setting from startup session: 'CurrentUser'
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: 10:15:44 AM - No autosave setting detected in environment variable 'AzContextAutoSave'.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: 10:15:45 AM - Using Autosave scope 'CurrentUser'
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: 10:15:45 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'',
Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/',
RedirectUri:'http://localhost:8400/'
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [
https://management.core.windows.net//.default ] ParentRequestId: Exception: Azure.Identity.AuthenticationFailedException (0x80131500):
InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException (0x80131500): Persistence check failed. Inspect inner
exception for details
---> System.Security.Cryptography.CryptographicException (0x80070000): The operation completed successfully.
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
WARNING: Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication failed: Persistence
check failed. Inspect inner exception for details'
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
DEBUG: 10:15:47 AM - Unable to acquire token for tenant 'organizations' with error 'Azure.Identity.AuthenticationFailedException:
InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details --->
Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Inspect inner exception for details
---> System.Security.Cryptography.CryptographicException: The operation completed successfully.
at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope)
at Microsoft.Identity.Client.Extensions.Msal.DpApiEncryptedFileAccessor.Read()
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
--- End of inner exception stack trace ---
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence()
at Azure.Identity.PersistentTokenCache.<GetCacheHelperAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.PersistentTokenCache.<RegisterCache>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.MsalClientBase`1.<GetClientAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.MsalPublicClient.<AcquireTokenInteractiveAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.InteractiveBrowserCredential.<GetTokenViaBrowserLoginAsync>d__32.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.InteractiveBrowserCredential.<AuthenticateImplAsync>d__30.MoveNext()
--- End of inner exception stack trace ---
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.InteractiveBrowserCredential.<AuthenticateImplAsync>d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.InteractiveBrowserCredential.<AuthenticateAsync>d__27.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__34.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account,
IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache
tokenCache, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment
environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment
environment, SecureString password, String promptBehavior, Action`1 promptAction)'I had not tried using Powershell ISE, as it is not something that I normally do, however, the ISE does work without issue.
bgavrilMS
commented
3 years ago To sum up, there seem to several separate issues happening here, looking at the inner exception
"Operation Completed Successfully" - it seems like a bug in the managed layer that is used to call DPAPI I logged https://github.com/dotnet/runtime/issues/52537 to track this.
System.Security.Cryptography.CryptographicException (0x80090345): The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.
It looks like DPAPI is not available on the machine. I've seen this in some virtualized environments, there seem to be several root causes. Please look it up or open support cases directly on Windows.
mbsnl
commented
3 years ago @bgavrilMS Some users are using Az.Accounts-module version 2.3.0 in PowerShell 5.1 on Windows Server 2019 in a domain with a Read-Only Domain Controller (no access to Read/Write Domain Controller). How should they get this working for now? Change the registry for DPAPI mentioned here https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/dpapi-masterkey-backup-failures ? Or downgrade the Az.Accounts-module? But to what version? Or should we log this as a Windows-Server Support-case?
bgavrilMS
commented
3 years ago @mbsnl - if possible, try the registry setting first. Some organizations might not be ok with this change, so it needs to be very clearly documented (I don't personally understand it). A Windows or Windows Server support case should be the path forward - if they can provide an alternative encryption solution or a different way to use the encryption APIs, I'm happy to implement it.
@erich-wang can provide guidance on downgrading Az.Accounts-module. By the way Erich, what did the old module do? Where did it store its tokens?
erich-wang
commented
3 years ago If modules from Az 4.* satisfies your daily work, you may downgrade to use Az.Accounts 1.9.5 and Az 4.8:
Install-Module Az.Accounts -RequiredVersion 1.9.5 -Repository PSGallery
Install-Module Az -RequiredVersion 4.8 -Repository PSGallery@bgavrilMS , the old versions of Az.Accounts 1.* are using ADAL instead of MSAL.
bgavrilMS
commented
3 years ago @erich-wang - ADAL / MSAL just fetch tokens. I was more curious where the old Az.Accounts module stores them and how.
erich-wang
commented
3 years ago @erich-wang - ADAL / MSAL just fetch tokens. I was more curious where the old Az.Accounts module stores them and how.
@bgavrilMS , Az.Accounts 1.x saves token as plain text under ~/.Azure
flavio-neves
commented
3 years ago This is due TLS version. For a workaround just run this command before: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
For a definitive solution, set registry: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
erich-wang
commented
3 years ago @flavio-neves, per my understanding the issue has nothing to do with TLS, furthermore TLS 1.2 has been enabled on Windows 10 by default. Are you able to reproduce the issue and solve it by setting SecurityProtocol? If yes, could you please share the debug trace before and after using the fix? You may enable the debug trace by running $DebugPreference='Continue'.
This is due TLS version. For a workaround just run this command before: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
For a definitive solution, set registry: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
Micael-stack
commented
3 years ago Still not working at all on Ps 5.1. But working as expected switching to 7.1.
dluc
commented
2 years ago Having the same problem on MacOS, with code that had been working for months. After retrying a few times, I deleted all the AdAuthCache.bin files around (I had 3 in separate projects) and the problem disappeared.
Update: the error is back, and deleting the .bin file doesn't help anymore :-\
Azure.Identity.AuthenticationFailedException: InteractiveBrowserCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
---> Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
---> Microsoft.Identity.Extensions.InteropException: KeyChain authorization/authentication failed. .Error code: -25293
at Microsoft.Identity.Extensions.Mac.SecurityFramework.ThrowIfError(Int32 error, String defaultErrorMessage)
at Microsoft.Identity.Client.Extensions.Msal.MacOSKeychain.Get(String service, String account)
at Microsoft.Identity.Client.Extensions.Msal.MacKeychainAccessor.Read()
at Microsoft.Identity.Client.Extensions.Msal.Storage.VerifyPersistence()
--- End of inner exception stack trace ---
at Microsoft.Identity.Client.Extensions.Msal.Storage.VerifyPersistence()
at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence()
at Azure.Identity.MsalCacheHelperWrapper.VerifyPersistence()
at Azure.Identity.TokenCache.GetCacheHelperAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.TokenCache.RegisterCache(Boolean async, ITokenCache tokenCache, CancellationToken cancellationToken)
at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalPublicClient.AcquireTokenInteractiveCoreAsync(String[] scopes, String claims, Prompt prompt, String loginHint, String tenantId, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.MsalPublicClient.AcquireTokenInteractiveAsync(String[] scopes, String claims, Prompt prompt, String loginHint, String tenantId, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.GetTokenViaBrowserLoginAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)dotnet --version 6.0.400Azure.Identity 1.6.1 (same error with 1.6.0)var context = new TokenRequestContext(/* ...string[]....*/);
var options = new InteractiveBrowserCredentialOptions
{
TenantId = /* ... */,
ClientId = /* ... */,
TokenCachePersistenceOptions = new TokenCachePersistenceOptions
{
UnsafeAllowUnencryptedStorage = true,
Name = this.tokenCacheName,
},
DisableAutomaticAuthentication = false,
};
var credential = new InteractiveBrowserCredential(options);
AuthenticationRecord authRecord = await credential.AuthenticateAsync(context);
Description
Unable to login to Azure (Public or Government) using Az PowerShell module
Steps to reproduce
Environment data
Module versions
Debug output