search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.25k stars 21.42k forks source link

Azure VPN linux client on Ubuntu 24.04 + Connection failed: Connection dropped, Session State: Key Material sent #124655

Open vainkop opened 5 days ago

vainkop commented 5 days ago

I'm creating a separate issue since the original one I've found is closed

So the Azure VPN linux client doesn't work for me on Ubuntu (24.04) (with a client for 22.04).

First I had this error:

Authentication failed. You can return to the application. Feel free to close this browser tab.

Error details: error invalid_client error_description: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: c632b3df-fb67-4d84-bdcf-b95ad541b5c8(Azure VPN). Resource value from request: 41b23e61-6c1e-4545-b367-cd054e0ed4b4. Resource app ID: 41b23e61-6c1e-4545-b367-cd054e0ed4b4. List of valid resources from app registration: . Trace ID: f9c4d6d0-5a81-45c9-9e5d-807cf79c3900 Correlation ID: bd5bc0c7-43d8-4078-b411-2090650a7bb8 Timestamp: 2024-10-16 11:29:00Z

Then I've found this article which talks specifically about Azure VPN client for linux configuration needed + error AADSTS650057 so I've added the following to the azurevpnconfig.xml

      <applicationid>c632b3df-fb67-4d84-bdcf-b95ad541b5c8</applicationid>

which resulted in the following error after a fresh Import + Connect

Authentication failed. You can return to the application. Feel free to close this browser tab.

Error details: error invalid_client error_description: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: c632b3df-fb67-4d84-bdcf-b95ad541b5c8(Azure VPN). Resource value from request: 41b23e61-6c1e-4545-b367-cd054e0ed4b4. Resource app ID: 41b23e61-6c1e-4545-b367-cd054e0ed4b4. List of valid resources from app registration: . Trace ID: a5baf20d-9874-4f3e-b867-eef03f1e4300 Correlation ID: e7c2a2f0-874f-4773-b4d0-4332ca93ed11 Timestamp: 2024-10-16 11:33:57Z

After that I've updated Audience

41b23e61-6c1e-4545-b367-cd054e0ed4b4

to

c632b3df-fb67-4d84-bdcf-b95ad541b5c8

(same value as Client app ID) which resulted in a successful authentication message in the browser:

Authentication complete. You can return to the application. Feel free to close this browser tab.

but unfortunately I still get an error in the Azure VPN client UI:

Connection failed: Connection dropped, Session State: Key Material sent

Both xml before import & Azure VPN client UI configs have / slashes on the end of Tenant & Issuer:

<AzVpnProfile xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/">
  <any xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Xml" i:nil="true" />
  <clientauth>
    <aad>
      <audience>c632b3df-fb67-4d84-bdcf-b95ad541b5c8</audience>
      <cachesigninuser>true</cachesigninuser>
      <enablegrouptoken>false</enablegrouptoken>
      <issuer>https://sts.windows.net/MY_TENANT_ID_HERE/</issuer>
      <tenant>https://login.microsoftonline.com/MY_TENANT_ID_HERE/</tenant>
      <applicationid>c632b3df-fb67-4d84-bdcf-b95ad541b5c8</applicationid>
    </aad>
Tenant:
https://login.microsoftonline.com/MY_TENANT_ID_HERE/
Audience:
c632b3df-fb67-4d84-bdcf-b95ad541b5c8
Issuer:
https://sts.windows.net/MY_TENANT_ID_HERE/

FYI: exactly the same azurevpnconfig.xml without any changes downloaded from browser > Virtual network gateway > Point-to-site configuration > Download VPN client works out of the box on Mac

Here's the AzureVPNClient.log with sensitive info replaced: AzureVPNClient.log

Both repos for 20.04 & 22.04 contain only vpn client version 3.0.0 despite 3.3.0.0 mentioned for example here & here so it's unclear if it's a documentation error or version 3.3.0.0 hasn't been published to the official Microsoft repos mentioned in the docs:

https://packages.microsoft.com/ubuntu/20.04/prod/dists/focal/main/binary-amd64/Packages

Package: microsoft-azurevpnclient
Version: 3.0.0
Architecture: amd64
Section: net
Priority: optional
Installed-Size: 36450
Maintainer: Microsoft Azure VPN <aznetvpnidc@microsoft.com>
Description: Azure VPN Client
    The Azure VPN Client lets you connect to Azure securely from anywhere in the world. It supports Microsoft Entra ID and certificate-based authentication.
Homepage: https://apps.microsoft.com/store/detail/azure-vpn-client
Depends: libatk1.0-0 (>= 1.12.4), libc6 (>= 2.30), libcap2 (>= 1:2.10), libcurl4 (>= 7.16.2), libepoxy0 (>= 1.0), libfontconfig1 (>= 2.12.6), libgcc-s1 (>= 3.0), libglib2.0-0 (>= 2.39.90), libgtk-3-0 (>= 3.21.4), libpango-1.0-0 (>= 1.29.4), libpangocairo-1.0-0 (>= 1.14.0), libsecret-1-0 (>= 0.7), libsqlite3-0 (>= 3.7.14), libssl1.1 (>= 1.1.1), libstdc++6 (>= 7), libsystemd0 (>= 239), zlib1g (>= 1:1.2.0), zenity | kdialog
Pre-Depends: dpkg (>= 1.14.0)
SHA256: a5a9424357017365886fee0a9f295310cbf09655470588e115f7bf5a5e1c9608
Size: 11357118
Filename: pool/main/m/microsoft-azurevpnclient/microsoft-azurevpnclient_3.0.0_amd64.deb

https://packages.microsoft.com/ubuntu/22.04/prod/dists/jammy/main/binary-amd64/Packages

Package: microsoft-azurevpnclient
Version: 3.0.0
Architecture: amd64
Section: net
Priority: optional
Installed-Size: 36429
Maintainer: Microsoft Azure VPN <aznetvpnidc@microsoft.com>
Description: Azure VPN Client
    The Azure VPN Client lets you connect to Azure securely from anywhere in the world. It supports Microsoft Entra ID and certificate-based authentication.
Homepage: https://apps.microsoft.com/store/detail/azure-vpn-client
Depends: libatk1.0-0 (>= 1.12.4), libc6 (>= 2.34), libcap2 (>= 1:2.10), libcurl4 (>= 7.16.2), libepoxy0 (>= 1.0), libfontconfig1 (>= 2.12.6), libgcc-s1 (>= 3.0), libglib2.0-0 (>= 2.39.90), libgtk-3-0 (>= 3.21.4), libpango-1.0-0 (>= 1.29.4), libpangocairo-1.0-0 (>= 1.14.0), libsecret-1-0 (>= 0.7), libsqlite3-0 (>= 3.7.14), libssl3 (>= 3.0.0~~alpha1), libstdc++6 (>= 12), libsystemd0 (>= 239), zlib1g (>= 1:1.2.0), zenity | kdialog
Pre-Depends: dpkg (>= 1.14.0)
SHA256: 9e5d360433d1d374d9a1051bb29a65103e81ca74ebeaa35155d1f0e9fc94577b
Size: 12590862
Filename: pool/main/m/microsoft-azurevpnclient/microsoft-azurevpnclient_3.0.0_amd64.deb

Any suggestions (aside from not using linux)?

author: @cherylmc ms.service: azure-vpn-gateway ms.custom: linux-related-content ms.author: @cherylmc

rogerionagata commented 5 days ago

@vainkop probably need aditional configuration on azurevpn https://learn.microsoft.com/mt-mt/azure/vpn-gateway/point-to-site-entra-gateway-update

TPavanBalaji commented 5 days ago

@vainkop Thanks for your feedback! We will investigate and update as appropriate.

vainkop commented 5 days ago

@vainkop probably need aditional configuration on azurevpn https://learn.microsoft.com/mt-mt/azure/vpn-gateway/point-to-site-entra-gateway-update

Thank you, I will try doing that & report the results later.

But it sounds very weird that I need to update server config & force existing VPN clients to redownload their VPN configuration while I have MacOS & Windows clients connecting successfully. Looks like a bug in the Linux VPN client which needs to be fixed.