search

Gerenios / AADInternals

AADInternals PowerShell module for administering Azure AD and Office 365
http://aadinternals.com/aadinternals
MIT License
1.24k stars 214 forks source link

Get-AADIntAccessTokenForAADJoin The request body must contain the following parameter: 'grant_type' #4

Closed pawp81 closed 3 years ago

pawp81 commented 3 years ago

When running on Windows 1809 (not joined to domain or AAD): Get-AADIntAccessTokenForAADJoin -SaveToCache I receive following error:

PS C:\Windows\system32> Get-AADIntAccessTokenForAADJoin -SaveToCache
WARNING: WebBrowser control emulation not set for PowerShell or PowerShell ISE!
Would you like set the emulation to IE 11? Otherwise the login form may not work! (Y/N): Y
Emulation set. Restart PowerShell/ISE!
You cannot call a method on a null-valued expression.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1167 char:12
+         if($form.ShowDialog() -ne "OK") {
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1175 char:9
+         $response = [Web.HttpUtility]::ParseQueryString($form.Control ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1178 char:9
+         $body = @{
+         ~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Cannot index into a null array.
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1186 char:9
+         $form.Controls[0].Dispose()
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Invoke-RestMethod : {"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID:
da1f378d-681a-45eb-9283-507a1d4c1400\r\nCorrelation ID: 4b06d599-96d4-4c2d-ad93-c9f86295fa60\r\nTimestamp: 2020-12-21 10:51:44Z","error_codes":[900144],"timestamp":"2020-12-21
10:51:44Z","trace_id":"da1f378d-681a-45eb-9283-507a1d4c1400","correlation_id":"4b06d599-96d4-4c2d-ad93-c9f86295fa60","error_uri":"https://login.microsoftonline.com/error?code=900144"}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:1193 char:23
+ ... sonResponse=Invoke-RestMethod -Uri "https://login.microsoftonline.com ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Could not get OAuthInfo!
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:2380 char:17
+                 throw "Could not get OAuthInfo!"
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Could not get OAuthInfo!:String) [], RuntimeException
    + FullyQualifiedErrorId : Could not get OAuthInfo!
NestoriSyynimaa commented 3 years ago

Are you running the command in PowerShell or ISE? VS Code is currently not supported for interactive logon. If you don't use MFA, you can save credentials to a variable and then get the accesstoken. $Cred = Get-Credential Get-AADIntAccessTokenForAADJoin -SaveToCache -Credentials $Cred

pawp81 commented 3 years ago

I am running it in PowerShell. Yes I am using PowerShell so the option -Credentials parameter didn't work:

NestoriSyynimaa commented 3 years ago

Do you have any error reports for the non-workingGet-AADIntAccessTokenForAADJoin -SaveToCache -Credentials $Cred?

pawp81 commented 3 years ago 
Get-AADIntAccessTokenForAADJoin -SaveToCache -Credentials $Cred
Invoke-RestMethod : {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change
made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access
'01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9'.\r\nTrace ID: 2b627b3e-bf70-429e-8c62-538c6a217100\r\nCorrelation ID:
54aadd25-9fbf-46ee-8f13-ecab888406b3\r\nTimestamp: 2021-01-22 11:55:18Z","error_codes":[50076],"timestamp":"2021-01-22
11:55:18Z","trace_id":"2b627b3e-bf70-429e-8c62-538c6a217100","correlation_id":"54aadd25-9fbf-46ee-8f13-ecab888406b3","e
rror_uri":"https://login.microsoftonline.com/error?code=50076","suberror":"basic_action"}
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:2510 char:19
+ ...   $response=Invoke-RestMethod -Uri $url -ContentType $contentType -Me ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Could not get Access Token!
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.4.4\AccessToken_utils.ps1:2437 char:13
+             Throw "Could not get Access Token!"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Could not get Access Token!:String) [], RuntimeException
    + FullyQualifiedErrorId : Could not get Access Token!
NestoriSyynimaa commented 3 years ago

Okay, seems that your organisation requires MFA so the credentials wont work. Back to the original issue then. You are probably using a quite recent Windows 10, which is missing a registry key HKCU:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

As a workaround, you can create the missing registry key and add the value of 0x00002af9 for powershell.exe and powershell_ise.exe as illustrated below. After that, start a new PS session and the original command should work.

image

I'll fix this issue for the next release.

Kav7 commented 2 years ago

I have same issue unfortunately, I checked and already had those reg keys.

NestoriSyynimaa commented 2 years ago

Are you also trying to use saved credentials and MFA is required? Any error messages?

Kav7 commented 2 years ago

I tried with an account that doesnt have MFA and after entering the password in the popup box, it just goes blank white, I eventually close it which causes this error:

Could not get OAuthInfo! At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.6.2\AccessToken.ps1:1327 char:17

NestoriSyynimaa commented 2 years ago

Another bug due to recent changes :( Try to comment out the line 1322 in AccessToken_utils.ps1 and remove and import module: # $web.ScriptErrorsSuppressed = $True

Kav7 commented 2 years ago

That worked! Very nice :)