Closed amorrowbellarmine closed 1 year ago
NestoriSyynimaa
commented
1 year ago Very interesting error indeed. BPRT in general works okay, just demoed it two weeks ago. Could you try again with -Verbose or -Debug switches to see details what's happening.
amorrowbellarmine
commented
1 year ago Sure thing. Here is the output. Yeah, I'm not sure what's going on. We've got a similar issue happening with WCD where it responds with an error saying "empty response". I've got a ticket open with the Azure support in hopes they can fix the WCD issue. Maybe that will fix my issue with AAD Internals token request.
PS C:\Users\user> New-AADIntBulkPRTToken -Name "package_$(new-guid)" -Verbose -Debug
DEBUG: PARSED ACCESS TOKEN:
aud : urn:ms-drs:enterpriseregistration.windows.net
iss : https://sts.windows.net/5290229c-d9f1-45dc-a0d4-XXXXXXXXXXXX/
iat : 1684173329
nbf : 1684173329
exp : 1684178442
acr : 1
aio : ATQAy/8TAAAAsQob8gr5D2ifOe6udkdCHKRftYYTx9hCsUwiDUZqZHsGe97mxabxTbW2iTcSffhi
amr : {pwd}
appid : 1b730954-1685-4b74-9bfd-XXXXXXXXXXXX
appidacr : 0
deviceid : e1b87443-6e45-47d2-9f03-XXXXXXXXXXXX
family_name : Morrow
given_name : Tony
groups : {cd8dec03-ec9f-4566-baf5-XXXXXXXXXXX, fc77fa73-3a32-4def-b41a-XXXXXXXXXXXX, 4e975bdc-8cd9-4a20-a8d3-XXXXXXXXXXXX, f74d260b-8696-4910-b6ba-XXXXXXXXXXXX...}
ipaddr : XXX.XXX.XXX.XXX
name : Tony Morrow
oid : 579d89af-30d7-4730-8882-XXXXXXXXXXXX
onprem_sid : S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX
puid : 10033FFF84E411AE
rh : 0.AQgAnCKQUvHZ3EWg1CY3kPcx-nYoywG9fqRKnMnSi9TTWakIAKk.
scp : policy_management
sub : _RCO7bcaq6yd-URt9q7v95-yATBAkub5NeOWuwnPavo
tenant_region_scope : NA
tid : 5290229c-d9f1-45dc-a0d4-XXXXXXXXXXXX
unique_name : user@XXX.XXX
upn : user@XXX.XXX
uti : OKkrDaN93Ui911ER4MVFAA
ver : 1.0
wids : {5d6b6bb7-de71-4623-b4af-XXXXXXXXXXXX, 3a2c62db-5318-420d-8d74-XXXXXXXXXXXX, 38a96431-2bdf-4b4c-8b6e-XXXXXXXXXXXX, b79fbf4d-3ef9-4689-8143-XXXXXXXXXXXX}
xms_sk : true
xms_sptype : 0
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): y
VERBOSE: POST https://login.microsoftonline.com/webapp/bulkaadjtoken/begin with -1-byte payload
VERBOSE: received 343-byte response of content type application/json; charset=utf-8
VERBOSE: GET
https://login.microsoftonline.com/webapp/bulkaadjtoken/poll?flowToken=AQABAAEAAAD--DLA3VO7QrddgJg7Wevra-ffcK6vXdLYnBmGBB3FWXXs4x6SZBcoknOMVsYoo4yGOHK8UBLCfqYRt0ekRWpjJOow9trO76pFeKZbK8ZGgWfuNOktgj8BsYFwnz5ISdiM8qPwz-drFL7YBxaRQ7vuRDgtsu9xo4E-h5PmJ7m-9-iaqKLQllYXrHf17Kh-oMIMl_CdscAeyiY9U7yT1H-b4YHsA_uIDMTxZfG-bDwJH31FHHCO7ZNrVk4cIwif6xcBizDChhvg_HvgGO655VTVIAA with 0-byte payload
VERBOSE: received 927-byte response of content type application/json; charset=utf-8
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated
user."},"requestId":"02dd5168-9c20-4c40-82a6-023f832ef1ae","date":"2023-05-15T18:02:15","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: a2a38a26-3534-4a7c-9a8e-5b9b346b4000
Correlation ID: 84864403-bedb-4c4d-b724-e4a4f7fb8f7f
Timestamp: 2023-05-15 18:02:15Z
At C:\Users\user\Documents\WindowsPowerShell\Modules\AADInternals\0.8.1\PRT.ps1:1724 char:13
+ throw $details.error_description
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (AADSTS650051: {...05-15 18:02:15Z:String) [], RuntimeException
+ FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"02dd5168-9c20-4c40-82a6-023f832ef1ae","date":"2023-05-15T18:02:1 5","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: a2a38a26-3534-4a7c-9a8e-5b9b346b4000
Correlation ID: 84864403-bedb-4c4d-b724-e4a4f7fb8f7f
Timestamp: 2023-05-15 18:02:15Z
Kyawn88
commented
1 year ago I'm also getting this too, I generated a BPRT about 3-4 months using AADInternals without issue. Tried to regenerate it today and I'm getting the exact same output error. From the looks of the error it seems that the SourceAnchor value is required for the generation of the AAD user that is created with the package_{GUID}.
Is there a way to insert this value into the command?
Here is a -Verbose and -Debug output of my command (I'm aware it's running with version 0.7.8, but the problem is also present is 0.8.2):
PS C:\Users\john.doe> $bprt = New-AADIntBulkPRTToken -Name "AAD_Joiner_Token" -Verbose -Debug
DEBUG: PARSED ACCESS TOKEN:
aud : urn:ms-drs:enterpriseregistration.windows.net
iss : https://sts.windows.net/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/
iat : 1684321176
nbf : 1684321176
exp : 1684325076
acr : 1
aio :
AVQAq/8TAAAA5kz1vmWvOpJuXVedwVjG1w5/HLzNfN45YJ5+NbqXnyXwV5/Scdz5zfnAoE5Cqd8GTrOUyWBaTijCg6l4wONso
HanCKkOjonpeK2UV9yPitI=
amr : {pwd, mfa}
appid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
appidacr : 0
deviceid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
family_name : Doe
given_name : John
groups : {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,
XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX...}
ipaddr : XXX.XXX.XXX.XXX
name : John Doe
oid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
onprem_sid : S-1-5-21-XXXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXXX-XXXX
puid : 100300009F48D725
rh : 0.AQwAjLgeeqQXnk-t-11BVU6tsXYoywG9fqRKnMnSi9TTWamWABY.
scp : policy_management
sub : XG_SNxELJN0kQwsVWO0zq7pC-WI_1RepG9_r28Gm4dA
tenant_region_scope : EU
tid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
unique_name : john.doe@XXX.XXX
upn : john.dor@XXX.XXX
uti : 7pUzUgsev0yphNowcFpzAA
ver : 1.0
wids : {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,
XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX...}
xms_sk : true
xms_sptype : 0
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
VERBOSE: POST with -1-byte payload
VERBOSE: received 322-byte response of content type application/json; charset=utf-8
VERBOSE: GET with 0-byte payload
VERBOSE: received 927-byte response of content type application/json; charset=utf-8
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required
property for creation of a federated user."},"requestId":"d350aa9f-1949-472f-87b6-eb07c496e666","date":"2023-05-17T11:1
5:41","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}
}
Trace ID: 167abd5c-68be-4f65-acf1-d5189a8e4200
Correlation ID: 6bba4aa6-c2fa-4273-817a-096d3f023e95
Timestamp: 2023-05-17 11:15:41Z
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.7.8\PRT.ps1:1724 char:13
+ throw $details.error_description
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (AADSTS650051: {...05-17 11:15:41Z:String) [], RuntimeException
+ FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value"
:"SourceAnchor is a required property for creation of a federated user."},"requestId":"d350aa9f-1949-472f-87b6-eb0
7c496e666","date":"2023-05-17T11:15:41","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyE
rrorCode","value":"PropertyRequired"}]}}
Trace ID: 167abd5c-68be-4f65-acf1-d5189a8e4200
Correlation ID: 6bba4aa6-c2fa-4273-817a-096d3f023e95
Timestamp: 2023-05-17 11:15:41ZI got a response from Microsoft regarding my issue with bulk token requests through WCD. It is caused by our tenant authentication using Federated and us testing password hash sync authentication through AAD Connect's staged rollout feature. My account is one of those being tested.
This is the full response:
"The opeartion returned empty response. Please try again" The error can occur if the account you use to authenticate with AAD when you click Get Bulk Token is user account is enabled for Seamless SSO staged rollout, which means it's treated as a managed user for authetication purposes and beacuse of that bulk endpoint incorrectly determines that domain the user is in as anaged. Which causes an error when creating a pseudo user account in the domain to represent the bulk token. Federated user accounts enabled for staged rollout will not work for retrieval of bulk tokens.
Workarounds:
• Kindly use the user account not enabled for staged SSO • Please try creating a new user account or use a different managed user account to generate the provisioning package.
I had one of our other administrators who's not in the SSO test try WCD and AAD Internals, and they were able to successfully request a bulk token with both tools.
Sounds like this issue can be closed since I know the source of the problem.
Hi, I'm trying to request a new BPRT and am getting the following error message. Everything was working fine a month ago, but now my co-worker and I get the same error message. We've updated to the latest version of AAD internals and tried from multiple computers. Do you have any ideas or suggestions we could try?
Thanks.