Unable to access SignalR service. Error while copying content to a stream.

[Nico-VanHaaster]

Describe the bug

Using Managed Identities we are recieving the following error.

Failed in authorizing AccessKey for 'https://<service>.service.signalr.net/', will retry in 3 seconds
Microsoft.Azure.SignalR.Common.AzureSignalRInaccessibleEndpointException: Unable to access SignalR service. Error while copying content to a stream. Please make sure the endpoint or DNS setting is correct. Request Uri: https://<service>.service.signalr.net/api/v1/auth/accessKey
 ---> System.Net.Http.HttpRequestException: Error while copying content to a stream.
 ---> System.IO.IOException: The response ended prematurely.
   at System.Net.Http.HttpConnection.FillAsync()
   at System.Net.Http.HttpConnection.ChunkedEncodingReadStream.CopyToAsyncCore(Stream destination, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionResponseContent.SerializeToStreamAsync(Stream stream, TransportContext context, CancellationToken cancellationToken)
   at System.Net.Http.HttpContent.LoadIntoBufferAsyncCore(Task serializeToStreamTask, MemoryStream tempBuffer)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpContent.LoadIntoBufferAsyncCore(Task serializeToStreamTask, MemoryStream tempBuffer)
   at System.Net.Http.HttpContent.WaitAndReturnAsync[TState,TResult](Task waitTask, TState state, Func`2 returnFunc)
   at Microsoft.Azure.SignalR.RestClient.ThrowExceptionOnResponseFailureAsync(HttpResponseMessage response)
   at Microsoft.Azure.SignalR.RestClient.SendAsync(RestApiEndpoint api, HttpMethod httpMethod, String productInfo, String methodName, Object[] args, Func`2 handleExpectedResponseAsync, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Microsoft.Azure.SignalR.AadAccessKey.UpdateAccessKeyAsync()
   at Microsoft.Azure.SignalR.AccessKeySynchronizer.UpdateAccessKeyAsync(AadAccessKey key)

The managed identity we have created is a standalone managed identity through Kubernetes AAD Pod authentication. NMI logs show the identity was matched.

I0923 23:12:12.659547       1 managed.go:81] matched identityType:0 clientid:916e##### REDACTED #####c69c resource:https://signalr.azure.com
I0923 23:12:12.671515       1 server.go:196] status (200) took 12204215 ns for req.method=GET reg.path=/metadata/identity/oauth2/token req.remote=10.132.0.166

The identity has been assigned the correct "SignalR App Server (Preview)"

Further technical details

• Your Azure SignalR SDK version: 1.11.0
• Your Server ASPNETCORE version or Assembly version of Microsoft.AspNetCore.SignalR : 1.1.0
• Your SignalR Client SDK version

[terencefan]

Hello,

The problem is likely caused by a misconfiguration.

Could you share a screenshot of your Role Assignments and a sample AADToken with us? You could use https://jwt.io/ to parse the AADToken and hide sensitive info.

[Y-Sindo]

@Nico-VanHaaster Do you use serverless mode or server mode? If you use serverless mode, you should assign "SignalR Service Owner" role.

[Nico-VanHaaster]

@Y-Sindo this is in classic mode, but it has been a month or so since testing. Not sure if there is a change I need to make to the AKS clusters directly.

@terencefan I am not sure how to get the AADToken out of the Managed Identities pod but can see what I can find.