github-actions[bot]
commented
3 months ago Thank you for your feedback. Tagging and routing to the team member best able to assist.
Closed MikeYeager closed 2 months ago
github-actions[bot]
commented
3 months ago Thank you for your feedback. Tagging and routing to the team member best able to assist.
jsquire
commented
3 months ago @MikeYeager: Would you please provide the full error message and stack trace that you're seeing? This sounds like an issue with the MI endpoint on the host rather than the request being made by the credential. The additional context will help us to validate the best path forward for assistance.
github-actions[bot]
commented
3 months ago Hi @MikeYeager. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
MikeYeager
commented
3 months ago Here is the exception info:
Exception Stack:
ManagedIdentityCredential authentication failed: Service request failed. Status: 500 (Internal Server Error)
Content: {"statusCode":500,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"8997f3a2-4774-4406-bcc2-14da6f7c387a"}
Headers: Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 Date: Thu, 20 Jun 2024 22:40:35 GMT Server: Kestrel
See the troubleshooting guide for more information. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fu19054072.ct.sendgrid.net%2Fls%2Fclick%3Fupn%3Du001.jY5FA2o0QMCl0M6PhFnw5dYkXNFw1nMhCoCogaarRkW81prb5tlqi1sy4ecWk0aPdP615-2Bnz43gKJGtQkVg7xDOGn-2B-2FNhbkP1haa6zQzj-2F3SZTyZ5fEGOR-2FR2Fiujwog0myc_zqcr9iRqRSjyoMdNqqwpCIDehA9svmT3MXccNrdqzLviqeGMtqlPGrw1HKD8dk853ejwaVBpRgaQ5KgL1jFTUxIEYpvi-2FHpeVKYbtYTNqvfhN0IYuH2U2TyQvGIDgnuYpvRCAp2Xw0bpKCA9el4wTqABu9dMKn6RwH9TPsWVMiYcWqoyA4JuBP6kuTR5h6-2BYjBdBlutdf1BKDXpcHv77qw-3D-3D&data=05%7C02%7Cmyeager%40eps-software.com%7Ccbdef1e062af4c2807c708dc917a0118%7C24db396bb79545c9bcfad3559193f2f7%7C0%7C0%7C638545200432695770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=C3o0R9HasdbY%2BO2gfG2Bv8XbAtv3Qgr9zIDVGuZovxk%3D&reserved=0 Exception Attributes: Message: ManagedIdentityCredential authentication failed: Service request failed. Status: 500 (Internal Server Error)
Content: {"statusCode":500,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"8997f3a2-4774-4406-bcc2-14da6f7c387a"}
Headers: Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 Date: Thu, 20 Jun 2024 22:40:35 GMT Server: Kestrel
See the troubleshooting guide for more information. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fu19054072.ct.sendgrid.net%2Fls%2Fclick%3Fupn%3Du001.jY5FA2o0QMCl0M6PhFnw5dYkXNFw1nMhCoCogaarRkW81prb5tlqi1sy4ecWk0aPdP615-2Bnz43gKJGtQkVg7xDOGn-2B-2FNhbkP1haa6zQzj-2F3SZTyZ5fEGOR-2FR2FiujwogSxe9_zqcr9iRqRSjyoMdNqqwpCIDehA9svmT3MXccNrdqzLviqeGMtqlPGrw1HKD8dk853ejwaVBpRgaQ5KgL1jFTU-2BA3ewbCWE9oFHFITqmLtI9VLHU9v-2FKfMWiU5QhK-2FqO-2BdwdnxRlepk-2BdhEENzaGMZGUlkUjPfm-2FYOv9F4AC4nm6Lr5XeAW5HgQwvyCOf04tILY-2FNu-2B5reqBkw6Hrd-2Fcb-2Fg-3D-3D&data=05%7C02%7Cmyeager%40eps-software.com%7Ccbdef1e062af4c2807c708dc917a0118%7C24db396bb79545c9bcfad3559193f2f7%7C0%7C0%7C638545200432706092%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Vnrkg%2FNzSaMvbv%2B1zWpDoG1M3aPvZwWZWYzMq%2BOfvfo%3D&reserved=0
Exception type: Azure.Identity.AuthenticationFailedException
Source: Azure.Identity
Thrown by code in method: FailWrapAndThrow
Thrown by code in class: CredentialDiagnosticScope
Stack Trace:
Method: Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) Method: Azure.Identity.ManagedIdentityCredential.
Service request failed. Status: 500 (Internal Server Error)
Content: {"statusCode":500,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"8997f3a2-4774-4406-bcc2-14da6f7c387a"}
Headers: Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 Date: Thu, 20 Jun 2024 22:40:35 GMT Server: Kestrel Exception Attributes: Message: Service request failed. Status: 500 (Internal Server Error)
Content: {"statusCode":500,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"8997f3a2-4774-4406-bcc2-14da6f7c387a"}
Headers: Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8 Date: Thu, 20 Jun 2024 22:40:35 GMT Server: Kestrel
Exception type: Azure.RequestFailedException
Source: Azure.Identity
Thrown by code in method: MoveNext
Thrown by code in class: <HandleResponseAsync>d__11Stack Trace:
Method: Azure.Identity.ManagedIdentitySource.
christothes
commented
3 months ago Hi @MikeYeager - Could you try this step from the troubleshooting guide to see if you get a token this way?
github-actions[bot]
commented
3 months ago Hi @MikeYeager. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
MikeYeager
commented
3 months ago Hi @christothes Thanks for responding. I'm just getting back from a trip and want to try this, but am not sure how. It says this:
Verify the App Service managed identity endpoint is available If you have access to SSH into the App Service, you can verify managed identity is available in the environment. First ensure the environment variables MSI_ENDPOINT and MSI_SECRET have been set in the environment. Then you can verify the managed identity endpoint is available using curl.
curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.core.windows.net&api-version=2018-02-01' -H "Metadata: true"
I don't know where to get the values for MSI_ENDPOINT and MSI_SECRET. Also, the CURL command doesn't seem to use them. Can you give me some guidance?
Thank you, Mike
christothes
commented
2 months ago Hi @MikeYeager -
It looks like the docs need to be updated slightly. The environment variables should be set on the host, which should be accessible via your SSH session. For example: echo MSI_ENDPOINT .
The URI you'll want to curl is as follows:
curl '{MSI_ENDPOINT}?resource=https://management.core.windows.net&api-version=2019-08-01' -H "Metadata: true" -H "X-IDENTITY-HEADER: {MSI_SECRET}"
github-actions[bot]
commented
2 months ago Hi @MikeYeager. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
MikeYeager
commented
2 months ago Hi @christothes , It's a Windows App Service, but I was able to get into the console, retrieve the environment variables and run it successfully:
christothes
commented
2 months ago Hi @MikeYeager - please don't post your actual access token unless it is already expired.
If the endpoint is properly returning a token I'm not sure why you'd be getting the 500 error. Can you reproduce this with logging enabled so that we can see what request is being made to the endpoint? Details can be found here.
github-actions[bot]
commented
2 months ago Hi @MikeYeager. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
MikeYeager
commented
2 months ago @christothes I'm trying to test the logging locally, but not getting any useful output. To be clear, this is a .NET Framework 4.8 services project that's using EF 6. Everything works fine in .NET Core. When I create a console logger and use these diagnostics settings, I get output like this:
The parameters to the Event method do not match the parameters to the WriteEvent method. This may cause the event to be displayed incorrectly.
The parameters to the Event method do not match the parameters to the WriteEvent method. This may cause the event to be displayed incorrectly.
The parameters to the Event method do not match the parameters to the WriteEvent method. This may cause the event to be displayed incorrectly.
The parameters to the Event method do not match the parameters to the WriteEvent method. This may cause the event to be displayed incorrectly.
The parameters to the Event method do not match the parameters to the WriteEvent method. This may cause the event to be displayed incorrectly.My code looks like this now:
public CIARedDogEntities() : base("name=CIARedDogEntities")
{
// Setup a listener to monitor logged events.
using (AzureEventSourceListener listener = AzureEventSourceListener.CreateConsoleLogger())
{
//https://github.com/Azure/azure-sdk-for-net/issues/41521 - 500 error when Managed Identities credential get token
//System-assigned managed identity or logged-in identity of Visual Studio, Visual Studio Code, Azure CLI or Azure PowerShell
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
Diagnostics =
{
LoggedHeaderNames = { "x-ms-request-id" },
LoggedQueryParameters = { "api-version" },
IsAccountIdentifierLoggingEnabled = true
},
TenantId = "85cXXXXX-XXXX-XXXX-XXXX-XXXXXXXX4c16" //Client's Azure Tenant ID
});
var conn = (System.Data.SqlClient.SqlConnection)Database.Connection;
var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://database.windows.net/.default" }));
conn.AccessToken = token.Token;
}
}I'm not sure why you are getting the logging errors, but if you are attempting to reproduce this locally, it will not be the same since the managed identity is only available when the app is deployed.
Do you have any logging framework or ILogger in your application? If so, you may need to wire the log output up to that provider using a more advanced logger command as described here. You'd want to replace the Console.Log with whatever you normal logging method is there.
Everything works fine in .NET Core
Just to clarify, are you saying this problem doesn't reproduce at all on .NET Core?
github-actions[bot]
commented
2 months ago Hi @MikeYeager. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
MikeYeager
commented
2 months ago @christothes Thank you for all of your help. We never did get logging to work, either locally or when deployed to Azure, but in our attempts to do so, we got an exception message indicating that the User Id was still present in the db connection string in Azure. Once we removed that in the App Service's Environment Variables, it started working. Perhaps someday we'll be able to replace the SSRS reports and get rid of our old .NET Framework 4.8 code. Thank you for all of your help with this.
Library name and version
Azure.Identity 1.12.0
Describe the bug
I'm using Managed Identities to get a token in an Azure App Service. This code runs fine locally, but crashes ungracefully when deployed to Azure. My client has their own tenant and have added my login (email) from my azure tenant to their Entra. I found that it's necessary to pass my client's TenantId or the call fails locally. Access to SQL Server via Managed Identities works in newer ASP.NET Core apps, from SSMS, etc. It's only this old ASP.NET 4.8 app using Entity Framework 6 that I have a problem.
I followed these instructions https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cef%2Cdotnet#3-modify-your-project
I found this article which recommends changing scope to api://***. That was a slightly more graceful crash that actually allowed logging an error (still a 500 error though). https://github.com/Azure/azure-sdk-for-net/issues/41521
Expected behavior
I would expect to be able to log whatever is causing the issue by getting a .NET exception, not get a 500 error as a result of crashing the process.
Actual behavior
Crashes with 500 error.
Reproduction Steps
Create a new WebAPI project using .NET Framework 4.8. Add these lines of code to one of the sample methods. Run locally - success. Publish to Azure App Service and run from there - 500 error.
Environment
ASP.NET 4.8 Azure Web App