ghost
commented
3 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Wmengmsft, @MehaKaushik, @shurd, @anfeldma-ms
Open ghost opened 3 years ago
ghost
commented
3 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Wmengmsft, @MehaKaushik, @shurd, @anfeldma-ms
erich-wang
commented
3 years ago @bgavrilMS, could you please take a look? It seems similar to #13714
bgavrilMS
commented
3 years ago @erich-wang, is PowerShell from this work item using https://www.nuget.org/packages/Microsoft.Identity.Client.Extensions.Msal/ version 2.18.0? I.e. did you patch it with the latest extensions lib?
Arunbalaji-Srinivasan
commented
3 years ago I have been debugging this exact issue for a few days now and it is being a major blocker for me. I have tried the MSAL library update as well and that doesn't seem to fix the issue on my machine. Could you please let me know the version of PWSH and Az module (Az.Accounts as well) that you're using? Any help is appreciated. @dcaro @bgavrilMS @erich-wang
Please find below the stack trace of this exception that I'm facing.
TargetSite : System.Exception FailWrapAndThrow(System.Exception)
StackTrace : at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext,
CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.AuthenticateAsync(TokenRequestContext requestContext, CancellationToken
cancellationToken)
at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(Task1 authTask, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken) at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action1 promptAction,
IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account,
IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action1 promptAction) at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment
environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation,
Action1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation) at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>cDisplayClass111_2.
TargetSite : Void VerifyPersistence() StackTrace : at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() at Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.VerifyPersistence() at Azure.Identity.PersistentTokenCache.GetCacheHelperAsync(Boolean async, CancellationToken cancellationToken) at Azure.Identity.PersistentTokenCache.RegisterCache(Boolean async, ITokenCache tokenCache, CancellationToken cancellationToken) at Azure.Identity.MsalClientBase`1.GetClientAsync(Boolean async, CancellationToken cancellationToken) at Azure.Identity.MsalPublicClient.AcquireTokenInteractiveAsync(String[] scopes, Prompt prompt, Boolean async, CancellationToken cancellationToken) at Azure.Identity.InteractiveBrowserCredential.GetTokenViaBrowserLoginAsync(String[] scopes, Boolean async, CancellationToken cancellationToken) at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) Message : Persistence check failed. Inspect inner exception for details Data : {} InnerException : System.Exception: SecKeychainFindGenericPassword failed with error code: -25293 at Microsoft.Identity.Client.Extensions.Msal.MacKeyChain.WriteKey(String serviceName, String accountName, Byte[] value) at Microsoft.Identity.Client.Extensions.Msal.MacKeychainAccessor.Write(Byte[] data) at Microsoft.Identity.Client.Extensions.Msal.MsalCacheStorage.VerifyPersistence() HelpLink : Source : Microsoft.Identity.Client.Extensions.Msal HResult : -2146233088
erich-wang
commented
3 years ago @prestoncook00 , could you please follow steps to verify if latest version of MSAL lib (MSAL 4.27, MSAL extension 2.18, I updated file in step 4 below) fix your issue:
Clear-AzContextghost
commented
3 years ago Didn’t work, after running a brew update and brew upgrade I was at 2.2.5 and pwsh 7.1.2. Ran the recommended steps and the issue remains
PS /Users/prestonc> connect-azaccount
WARNING: INITIALIZATION: Token cache encryption is not supported in current environment and token cache will be fallen back as plain text.
WARNING: Unable to acquire token for tenant 'organizations'
WARNING: Please run 'Connect-AzAccount -DeviceCode' if browser is not supported in this session.
Connect-AzAccount: InteractiveBrowserCredential authentication failed: Persistence check failed. Reason: KeyChain authorization/authentication failed. .Error code: -25293. OS error code -25293.
PS /Users/prestonc>
Preston Cook | Cloud Engineer II | Global Technology Services Herbalife Nutrition | 14944 Pony Express Dr., Bluffdale, UT 84065webextlink://14944%20Pony%20Express%20Dr.,%20Bluffdale,%20UT%2084065 310 410 9600 x 74127013 | Direct 310 258 7013 | Cell 310 357 4826 @.**@.> Learn about the many ways we do it at IAmHerbalifeNutrition.com.
From: erich-wang @.> Date: Friday, March 12, 2021 at 07:24 To: Azure/azure-powershell @.> Cc: Preston Cook @.>, Mention @.> Subject: [External] Re: [Azure/azure-powershell] OSX Connect-AzAccount doesn't function (#14478) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
@prestoncook00https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprestoncook00&data=04%7C01%7Cprestonc%40herbalife.com%7C48fd5110413f45e58b2e08d8e5629a35%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637511558952282095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=1dBqI%2F5oEUd9J1OZ5VGTQRzDaJkpZEZjAz97NPi1jq0%3D&reserved=0 , could you please follow steps to verify if latest version of MSAL lib (MSAL 4.27, MSAL extension 2.18, I updated file in step 4 below) fix your issue:
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F14478%23issuecomment-797521672&data=04%7C01%7Cprestonc%40herbalife.com%7C48fd5110413f45e58b2e08d8e5629a35%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637511558952302082%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PedE6aZf0Ep4jY1CyDdvQ1aMmzIMQSvXzZiRdMB%2FVjw%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FATERNET2VS37PJZWQYF4NYTTDIP3HANCNFSM4Y2DFSBQ&data=04%7C01%7Cprestonc%40herbalife.com%7C48fd5110413f45e58b2e08d8e5629a35%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637511558952302082%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bxFwbEuttKcnRGvPWbPdnTReahRhj%2BxsYlfFq1rNGCE%3D&reserved=0.
erich-wang
commented
3 years ago @bgavrilMS, the user still get the error after using MSAL 4.27 + MSAL extension 2.18, could you please take a look?
bgavrilMS
commented
3 years ago I am not sure what the next steps are, we may have to contact Apple to get some help. Some folks have reported solving the issue by restarting the machine.
It may be an issue with how PowerShell is signed on Mac.
ghost
commented
3 years ago Rebooting doesn’t help.
Preston Cook | Cloud Engineer II | Global Technology Services Herbalife Nutrition | 14944 Pony Express Dr., Bluffdale, UT 84065webextlink://14944%20Pony%20Express%20Dr.,%20Bluffdale,%20UT%2084065 310 410 9600 x 74127013 | Direct 310 258 7013 | Cell 310 357 4826 @.**@.> Learn about the many ways we do it at IAmHerbalifeNutrition.com.
From: Bogdan Gavril @.> Date: Monday, March 15, 2021 at 00:13 To: Azure/azure-powershell @.> Cc: Preston Cook @.>, Mention @.> Subject: [External] Re: [Azure/azure-powershell] OSX Connect-AzAccount doesn't function (#14478) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
I am not sure what the next steps are, we may have to contact Apple to get some help. Some folks have reported solving the issue by restarting the machine.
It may be an issue with how PowerShell is signed on Mac.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F14478%23issuecomment-799175178&data=04%7C01%7Cprestonc%40herbalife.com%7C968d4fccbee343a4e4e308d8e781cfca%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637513892017128577%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wy0122X4Xh5pktPAEhgWO7HT7%2Bg5d5flni2E9m9kaIU%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FATERNESFF3PDJWH6PZKUB3DTDWXQ7ANCNFSM4Y2DFSBQ&data=04%7C01%7Cprestonc%40herbalife.com%7C968d4fccbee343a4e4e308d8e781cfca%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637513892017128577%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pFZfbYuElzkbAWZleNAkfcnQ%2Fl%2Bv6VhJ4kwQmxb%2BT%2B4%3D&reserved=0.
bgavrilMS
commented
3 years ago Apollogies for the delay, I'm working on creating a diagnostics app that will try to access various keychain locations, to see what's going on.
ghost
commented
3 years ago no prob, this is very low urgency
Preston Cook | Cloud Engineer II | Global Technology Services Herbalife Nutrition | 14944 Pony Express Dr., Bluffdale, UT 84065webextlink://14944%20Pony%20Express%20Dr.,%20Bluffdale,%20UT%2084065 310 410 9600 x 74127013 | Direct 310 258 7013 | Cell 310 357 4826 @.**@.> Learn about the many ways we do it at IAmHerbalifeNutrition.com.
From: Bogdan Gavril @.> Date: Monday, March 22, 2021 at 09:59 To: Azure/azure-powershell @.> Cc: Preston Cook @.>, Mention @.> Subject: [External] Re: [Azure/azure-powershell] OSX Connect-AzAccount doesn't function (#14478) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Apollogies for the delay, I'm working on creating a diagnostics app that will try to access various keychain locations, to see what's going on.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F14478%23issuecomment-804183596&data=04%7C01%7Cprestonc%40herbalife.com%7C9ed23af140564650484008d8ed4b89f3%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520255989222195%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=R6aa0A0y9wbvS1Fqf2jRFMv%2B3GxBRiJ3iXJQFhG%2FZq8%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FATERNETGJMCBLWMC2RFDM2DTE5SPXANCNFSM4Y2DFSBQ&data=04%7C01%7Cprestonc%40herbalife.com%7C9ed23af140564650484008d8ed4b89f3%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520255989222195%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=D1y4NfwkO%2F%2Bsc9p76mExPjfYeuzEpnEWLXPq3QKV84Q%3D&reserved=0.
bgavrilMS
commented
3 years ago In your KeyChain entries, do you have one named "Microsoft.Developer.IdentityService" already? Could you try to manually delete this entry first?
And also make sure your login KeyChain is not locked:
ghost
commented
3 years ago There were two. I tried the command again, same result. I noticed it recreated the two I deleted after I tried that.
PS /Users/prestonc> connect-azaccount
WARNING: INITIALIZATION: Token cache encryption is not supported in current environment and token cache will be fallen back as plain text.
WARNING: Unable to acquire token for tenant 'organizations'
WARNING: Please run 'Connect-AzAccount -DeviceCode' if browser is not supported in this session.
Connect-AzAccount: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
PS /Users/prestonc>
Preston Cook | Cloud Engineer II | Global Technology Services Herbalife Nutrition | 14944 Pony Express Dr., Bluffdale, UT 84065webextlink://14944%20Pony%20Express%20Dr.,%20Bluffdale,%20UT%2084065 310 410 9600 x 74127013 | Direct 310 258 7013 | Cell 310 357 4826 @.**@.> Learn about the many ways we do it at IAmHerbalifeNutrition.com.
From: Bogdan Gavril @.> Date: Monday, March 22, 2021 at 11:12 To: Azure/azure-powershell @.> Cc: Preston Cook @.>, Mention @.> Subject: [External] Re: [Azure/azure-powershell] OSX Connect-AzAccount doesn't function (#14478) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In your KeyChain entries, do you have one named "Microsoft.Developer.IdentityService" already? Could you try to manually delete this entry first?
And also make sure your login KeyChain is not locked:
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F14478%23issuecomment-804240702&data=04%7C01%7Cprestonc%40herbalife.com%7C62b60a76a6664078d93408d8ed55bc59%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520299785663178%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sT%2FUDjV8z9YjZZH0cw8p3pWfBsvuiShA9aLXrx5lZrk%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FATERNERUKWD25Q25IHY4NHTTE53BPANCNFSM4Y2DFSBQ&data=04%7C01%7Cprestonc%40herbalife.com%7C62b60a76a6664078d93408d8ed55bc59%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520299785673171%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zFqs1xAjFO8sYgR7unC28xk2rBt6UM6v1PBbBqX0TAQ%3D&reserved=0.
bgavrilMS
commented
3 years ago Do you have Visual Studio for Mac installed and running or any other Microsoft dev app running?
Otherwise, I've created a small console app that writes to the KeyChain in a similar matter as PowerShell, I was hoping you could try it...
ghost
commented
3 years ago Sorry I have been slammed, do you still want me to run this tool? Do I need .NET or .NET core?
I’m just running visual studio code and Azure storage explorer, batch explorer, and whatever comes with office.
Preston Cook | Cloud Engineer II | Global Technology Services Herbalife Nutrition | 14944 Pony Express Dr., Bluffdale, UT 84065webextlink://14944%20Pony%20Express%20Dr.,%20Bluffdale,%20UT%2084065 310 410 9600 x 74127013 | Direct 310 258 7013 | Cell 310 357 4826 @.**@.> Learn about the many ways we do it at IAmHerbalifeNutrition.com.
From: Bogdan Gavril @.> Date: Monday, March 22, 2021 at 16:02 To: Azure/azure-powershell @.> Cc: Preston Cook @.>, Mention @.> Subject: [External] Re: [Azure/azure-powershell] OSX Connect-AzAccount doesn't function (#14478) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Do you have Visual Studio for Mac installed and running or any other Microsoft dev app running?
Otherwise, I've created a small console app that writes to the KeyChain in a similar matter as PowerShell, I was hoping you could try it...
https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/tree/master/tests/KeyChainTestApphttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzureAD%2Fmicrosoft-authentication-extensions-for-dotnet%2Ftree%2Fmaster%2Ftests%2FKeyChainTestApp&data=04%7C01%7Cprestonc%40herbalife.com%7C54f2c7c2ca9c409e446608d8ed7e2aff%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520473432910657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X8R%2FCInmeCDzGA07SND5qZhFPneYKts%2FWw5%2FdbstI7c%3D&reserved=0
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F14478%23issuecomment-804424932&data=04%7C01%7Cprestonc%40herbalife.com%7C54f2c7c2ca9c409e446608d8ed7e2aff%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520473432910657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=B9PngSpJ5cQ9B3Pp54TxUKjyuKrUxmF9%2B1Rof4kE6%2Fo%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FATERNETVECQUMPHO6QQ2FSDTE6463ANCNFSM4Y2DFSBQ&data=04%7C01%7Cprestonc%40herbalife.com%7C54f2c7c2ca9c409e446608d8ed7e2aff%7C101f87a76d6b4c6c9d9c223592a2ba50%7C0%7C0%7C637520473432920648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KTgJ%2FOgo%2Bnj%2F%2BsykmS0LvGEvJ8OvZHpEiMf9WKvUvyo%3D&reserved=0.
Description
PS /Users/prestonc> Connect-azaccount WARNING: INITIALIZATION: Token cache encryption is not supported in current environment and token cache will be fallen back as plain text. WARNING: Unable to acquire token for tenant 'organizations' WARNING: Please run 'Connect-AzAccount -DeviceCode' if browser is not supported in this session. Connect-AzAccount: InteractiveBrowserCredential authentication failed: Persistence check failed. Inspect inner exception for details
Steps to reproduce
Environment data
Module versions
Debug output
Error output