Hi, team

We use WebAuth, but we found exception from Microsoft.identity.ServiceEssentials.Core. This case is pretty rare. Also, we found other team encounter such exceptions. (In their cases, they also encounter such issue, and the probability also rare)

Once the little probability exception happened, it will bring catastrophic result.

Package reference chain:

WebAuth -> MISE -> SAL -> Wilson (Exception happened here)

Error Msg

Message: 'MISE12018: MiseHost (1.22.2.0): MISE12014: The request failed with exception: Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: (layer1)

Component: AuthenticationTicketProvider:1.22.2.0

CorrelationId:8225b67f-b9a6-44b9-aaa6-b7503f1a13aa

Microsoft.Identity.ServiceEssentials.Exceptions.MiseAuthenticationTicketProviderException: MISE12034: AuthenticationTicketProvider (layer1)Name:AuthenticationTicketProvider, GetVersion:1.22.2.0.

---> System.AggregateException: S2S12096: Microsoft.IdentityModel.S2S.S2SAuthenticationManager caught exceptions when validating the token. See AuthenticationResult.InboundPolicyEvaluationResults for additional details. (S2S12086: An exception has been caught while validating the request applying the policy with id : 'c3a6fb3d-2f0a-4e6b-858a-406bbb4c6fdc'. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

Exceptions caught:

'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

token: 'PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateBearerAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, TokenValidationParameters tokenValidationParameters, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context))

---> Microsoft.IdentityModel.S2S.S2SAuthenticationException: S2S12086: An exception has been caught while validating the request applying the policy with id : 'c3a6fb3d-2f0a-4e6b-858a-406bbb4c6fdc'. Exception: Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

Exceptions caught:

'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

token: 'PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

---> Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys: 'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

Exceptions caught:

'PII of type 'System.Text.StringBuilder' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

token: 'PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see [https://aka.ms/IdentityModel/PII.]'.

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ThrowOnTokenValidationError(Exception exception, Boolean isValid, S2SContext context, TokenValidationParameters validationParameters)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateInternalAsync(S2SInboundPolicy policy, ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

at Microsoft.IdentityModel.S2S.JwtAuthenticationHandler.ValidateProtocolEvaluationResultAsync(ProtocolEvaluationResult protocolEvaluationResult, S2SContext context)

--- End of inner exception stack trace ---

at Microsoft.Identity.ServiceEssentials.MiseHost`1.AuthenticateRequestAsync(TMiseContext context, CancellationToken cancellationToken)

at Microsoft.Identity.ServiceEssentials.MiseHost1.HandleAsync(TMiseContext context, IReadOnlyCollection1 modules, CancellationToken cancellationToken). (8225b67f-b9a6-44b9-aaa6-b7503f1a13aa). ' dict: {"source":"ms-assignment"}

Places that would produce such exceptions

Similar Issue in stackoverflow

https://stackoverflow.microsoft.com/questions/361215

This is not correct for our cases -

for our case, the tokens should be expected valid tokens. we didn't touch our auth logic, our app and only one VM, actually one agent failing

(we have many VM, share same token, but only 1 failed)

AzureAD / azure-activedirectory-identitymodel-extensions-for-dotnet

[Bug] Unknow reasons for Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: IDX10618: Key unwrap failed using decryption Keys #2695

Package reference chain:

Error Msg

Places that would produce such exceptions

Similar Issue in stackoverflow