microsoft / SDCM

Surface Dev Center Manager tool to automate WHQL/Attestation submissions and Shipping Label creation for Microsoft Hardware Dev Center
MIT License
34 stars 17 forks source link

PARTNER_CENTER_HTTP_EXCEPTION #46

Closed billziss-gh closed 1 year ago

billziss-gh commented 1 year ago

I am attempting to configure and use SDCM to manage attestation submissions for WinFsp. Unfortunately when I run SDCM with options -v --list=product I receive the following error (after some delay):

SurfaceDevCenterManager v1.0.0.1
> List Option product

============================================================
        SurfaceDevCenterManager Exception Log
Option:          ListOption
Section:         GetProducts
Type:            System.OperationCanceledException
Message:         The operation was canceled.
Inner Exception:
Correlation Id:  2fe75310-6bc4-4398-8763-318bfa7bf939
============================================================

Correlation Id: 2fe75310-6bc4-4398-8763-318bfa7bf939
Return: -1000 (PARTNER_CENTER_HTTP_EXCEPTION)

Running Fiddler with HTTPS decryption reveals that manage.devcenter.microsoft.com has failed with a 500 error:

Request:

GET https://manage.devcenter.microsoft.com/v2.0/my/hardware/products HTTP/1.1
MS-CorrelationId: 2fe75310-6bc4-4398-8763-318bfa7bf939
MS-RequestId: fa425da9-a991-4080-bf08-51de0c1f5bf5
Authorization: Bearer
Host: manage.devcenter.microsoft.com

Response:

HTTP/1.1 500 Internal Server Error
Content-Length: 111
Content-Type: application/json
Date: Thu, 02 Feb 2023 16:06:49 GMT

{ "statusCode": 500, "message": "Internal server error", "activityId": "ee5ccfba-9034-4e63-866e-7d8f3c58023b" }

The Authorization: Bearer header looks incorrect to me. So this is likely some auth misconfiguration on my part, although I have populated authconfig.json as per the instructions in your README. (I note that some of the README instructions do not appear to match the administration user interface as it is currently presented by the hardware dashboard.)

My authconfig.json:

[
  {
    "tenantId": "XXXX",
    "clientId": "YYYY",
    "key": "ZZZZ",
    "url": "https://manage.devcenter.microsoft.com",
    "urlPrefix": "v2.0/my"
  }
]
billziss-gh commented 1 year ago

FYI some further debugging into the guts of Microsoft.Devices.HardwareDevCenterManager.Utility.AuthorizationHandler reveals that the error is 900023.

And yet (I think) I have specified the correct tenantId as reported by the Partner Center UI.

Ben-Carpenter commented 1 year ago

Hey @billziss-gh, if you are using a valid GUID for the tenant ID then that should be correct.

  1. You've associated your app registration in Partner Center?
  2. Have you verified the credentials are being passed into the call correctly?
  3. Have you been able to make any other calls successfully? Partner Center API service can have intermittent issues from time to time, which would also provide a 500.
[
  {
    "clientId": "guid",
    "key": "string",
    "tenantId": "guid",
    "url": "https://manage.devcenter.microsoft.com",
    "urlPrefix": "v2.0/my"
  }
]

Could you provide more information or a link to the docs in regard to your comment

the administration user interface as it is currently presented by the hardware dashboard

If you feel you have everything configured correctly and are still having issues, you may need to contact Partner Center Support.

billziss-gh commented 1 year ago

Hey @billziss-gh, if you are using a valid GUID for the tenant ID then that should be correct.

I am using the same "tenant" GUID as it appears in both the "Microsoft Partner Center", but also "Microsoft Azure Portal" at portal.azure.com.

  1. You've associated your app registration in Partner Center?

I am uncertain what that means.

I have a (double) app registration that looks like pic below:

image

(FYI I only did a single app registration.)

  1. Have you verified the credentials are being passed into the call correctly?

I have used the debugger to trace through the ObtainAccessToken method in Microsoft.Devices.HardwareDevCenterManager.Utility.AuthorizationHandler and it appears to me that the tenantId, clientId and key are copied correctly. Nevertheless this call fails with status code 400 and content:

"{\"error\":\"invalid_request\",\"error_description\":\"AADSTS900023: Specified tenant identifier 'XXXX' is neither a valid DNS name, nor a valid external domain.\\r\\nTrace ID: 996b0fb1-5da4-48ef-a29b-a30353aa0a00\\r\\nCorrelation ID: 9f7ea65b-b857-43c4-b034-62d817581d40\\r\\nTimestamp: 2023-02-02 18:12:17Z\",\"error_codes\":[900023],\"timestamp\":\"2023-02-02 18:12:17Z\",\"trace_id\":\"996b0fb1-5da4-48ef-a29b-a30353aa0a00\",\"correlation_id\":\"9f7ea65b-b857-43c4-b034-62d817581d40\",\"error_uri\":\"https://login.microsoftonline.com/error?code=900023\"}"
  1. Have you been able to make any other calls successfully?

No.

Could you provide more information or a link to the docs in regard to your comment

I do not recall all the details, but (I think that) the docs do not mention the "Reply URL" and "App ID URI" fields required for app registration.


BTW this account was automatically migrated from the original sysdev portal. I am not sure if this makes any difference.

Ben-Carpenter commented 1 year ago

For number 1, yes that is what I was referring to. Looks like you do have the Azure AD Apps Type. I would reach out to Partner Center support and see if they can clarify anything further about your account and registered app.

Here is the link, if you need it. Learn \ Partner Center Docs \ Help + support \ Get help and contact support in Partner Center

With the latest release I am able to run commands without any issues. Maybe try the call from Postman and see if you get the same result.

billziss-gh commented 1 year ago

@Ben-Carpenter thanks. I will contact support.

Regarding the "Reply URL" and "App ID URI" fields that were requested during registration do you have any advice what to use? I used http://localhost for "Reply URL" and api://SDMC for "App ID URI". Perhaps you have better suggestions?

Ben-Carpenter commented 1 year ago

There are different options for passing the creds to the DevCenterCredentialsHandler to get a valid token which is handled by the tool to use in the AuthorizationHandler. To the best of my knowledge, nothing is required for the App Registration > Platform configurations if using this tool as-is.

billziss-gh commented 1 year ago

It turns out that if I use the tenant domain name (i.e. MYCOMPANYNAME.onmicrosoft.com) instead of the tenant GUID, I am able to retrieve a token and use the API.

Now this may be because I messed up with lots of app settings in the Azure portal. But at least that's progress!

Ben-Carpenter commented 1 year ago

Good to hear! Thanks for reporting back in case others run into the same issue. I will go ahead and close this one out for now.