John-Vance
commented
1 year ago Seeing the same starting within the past few days. Behavior is that sign-in to Azure Account extension via browser Window looks normal and appears to be successful, but VS Code isn't aware, can't view any Azure resources using any extension.
- Checked VS Code and extensions for updates (none found)
- Rebooted, no change
- Reloaded/restarted VS Code, no change
- Downgraded to v0.11.2, no change
- Cleared VS Code cache, no change
- Cleared browser cache, no change
VS Code Version: 1.74.3 (user setup) Extension Version: 0.11.3 OS: Windows_NT x64 10.0.22621
alexweininger
klawrawkz
Hi there. My name is klawrawkz. I am fine. How are you? I'll be sure to remove any info that may be sensitive.
The AA(Ex) (Azure Account (Extension)) is reliably not working correctly. On a few occasions I got it to authenticate, but it was flakey as hell and didn't return all our subscriptions. That's odd.
Q: ??Does this occur consistently?? A: Yes
Repro steps:
Attempt to log on automatically when VS Code launches on a Win 2022 Svr dev box.
Verify TLS/Cipher updated as per guidance e.g. https://go.microsoft.com/fwlink/?linkid=2161187
Employ the $Env:NO_PROXY += Solution as per the "Troubleshooting" guidance.
Attempt to login via vs Code F1 > Azure: Sign In and Azure authenticates me for sure.
AA(Ex) does not get the memo, failing to accept the authentication.
Same scenario using alternate "log in with a code" method.
Does AA(Ex) need to specify TLS version? I'd think no, it doesn't do that. Perhaps the failure is due to AA(Ex) sending an invalid login request? Or AA(Ex) misreading the auth claim that produced when an end user completes the login via HTTPS Form post? It's unclear to me where TLS/Cipher settings are determined to be incorrect or unsafe and therefore rejected. It appears as though we conduct an otherwise valid authentication process. Clearly the auth server is not receiving (or believes it's not receiving) data via the expected TLS/CIPHER. This is confusing because we have it enabled. However, vs Code (PowerShell) does succeed in authentication with its auth server. This is a different auth server though. Does this server not require TLS 1.2/1.3? I'd need to run WireShark to dig into this further. I'm confused as to where this error originates b/c I don't understand the AA(Ex)'s logic nor how the request is issued. It seems to me that it's probably a standard HTTP(S) client framework.
Below are comprehensive traces of the event. I include a successful authentication from vs Code Powershell Extension. See below traces of the AA(Ex) failure event and contrasting success event from vsCode Powershell.
REQUEST:
RESPONSE:
REQUEST
RESPONSE
Path : HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319 Name : SchUseStrongCrypto Value : 1
Path : HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 Name : SystemDefaultTlsVersions Value : 1
Path : HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 Name : SchUseStrongCrypto Value : 1
Path : HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Name : Enabled Value : 1
Path : HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server Name : DisabledByDefault Value : 0
Path : HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Name : Enabled Value : 1
Path : HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client Name : DisabledByDefault Value : 0
GET https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=&redirect_uri=https%3A%2F%2Fvscode.dev%2Fredirect&state=http%3A%2F%2F127.0.0.1%3A52308%2Fcallback?nonce=gAxJh3e1mX%2FMQEk4ALy8vA%3D%3D&prompt=select_account HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he-IL;q=0.8,he;q=0.7
Cookie: x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA|NoExtension; esctx=AQABAAAAAAD--; brcap=0; ESTSSSOTILES=1; AADSSOTILES=1; flight-githubsi=true; flight-msaoauth2=true; ESTSLOGOUTREDIRECT=MDtodHRbC5henVyZS5jb20vP3NlbGVjdEFjY291bnQ9dHJ1ZTtUcnVl; CCState=RWhJS0VFMZnJiRG0zSkVzPQ==; MSFPC=GUID=5579137fa3e50&HASH=5579&LV=202212&V=4&LU=1670386001812; wlidperf=FR=L&ST=1672437674796; ESTSSC=10; ESTSWCTXFLOWTOKEN=AQABAAEAAAD--DLA; clrc={%22%3a[%229Ou+MAjD%22]%2c%222%3a[%228gfwFLor%22]%2c%2219378%22%3a[%223mgup1q/%22%2c%22ecR17i36%22%2c%2kI%22%2c%22+SjF/0ga%22%2c%22dMtbH4Ix%22]}; ESTSAUTHPERSISTENT=0.ARcA3ljRgAe1U0; ch=oixTbk; buid=0.ARcA3ljRgAe1U0CUfDWmaRZyBpV3sATbjRpGu-4C-eG_e0YXABY.AQABAAEAAAD--DLA3VO7QrddgJg7WevrClVdGQk4mn4-mxTYvm8vh87_i6j7mBqn3JILIBJceQ7NS9SD0S2shTo_NldNW85GSqlv2ylf2FvoDoL7QOKckunKWWhlKa0BPSxp0CbO0i9N784dPpKX9STN53ZWoFEDEEmxsw0NRUSksgv256B-2vRZzfgVcYmRd0TIhUmxKnQgAA; SignInStateCookie=CAgA; fpc=AgA-3I_Y53FLnIN5-249YjT_SEScAQAAAIYtXdsOAAAAYyF3ZAIAAACaLF3bDgAAAHkQkgcBAAAAgy1d2w4AAAA
HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 X-Frame-Options: DENY Link: https://aadcdn.msftauth.net; rel=preconnect; crossorigin Link: https://aadcdn.msftauth.net; rel=dns-prefetch Link: https://aadcdn.msauth.net; rel=dns-prefetch X-DNS-Prefetch-Control: on P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" x-ms-request-id: 95263139-5bc7-482a-b9f5-01e179c66d00 x-ms-ests-server: 2.1.14357.8 - SCUS ProdSlices Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: ESTSAUTHPERSISTENT=0.ARcA3ljRgDZlM; domain=.login.microsoftonline.com; expires=Fri, 21-Apr-2023 00:49:32 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=0XyA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+a7ff01a5a; path=/; secure; SameSite=None
Set-Cookie: ch=Hhe_Y9vpjHstBY1TVrzHOcVG4pk5DKP_6wvTIYvLUOE; domain=.login.microsoftonline.com; expires=Fri, 21-Apr-2023 00:49:32 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=10; expires=Fri, 21-Apr-2023 00:49:32 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=0.ARcA3ljRgAe1U0CUfDWmaRZyBpV3sATbjRpGu-4C-eG_e0YXABY.AQABAAEAAAD--DLA3VO7QrddgJg7WevrvZCbEbJ7rJkOTORNxbjQa5wIqU5Lphbp54DRrUb3zLR2tT3DIVd8nvMC-xLIb328mbvmqvOB-1S8mLUFRF5IeUVwV6egvo61Lr6crNVE8AgD3z4wEzGZBdTe2nu5tDh5o-lUOK3BHfupnt5JZSm0HjVoBTgl7TGFCAtDyITKSt4gAA; expires=Mon, 20-Feb-2023 00:49:32 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=AgA-3I_Y53FLnIN5-249YjT_SEScAQAAAIYtXdsOAAAADmKToAEAAACbLV3bDgAAAHkQkgcBAAAAgy1d2w4AAAA; expires=Mon, 20-Feb-2023 00:49:33 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Date: Sat, 21 Jan 2023 00:49:32 GMT
Content-Length: 43528
<!DOCTYPE html>
GET https://login.microsoftonline.com/common/reprocess?ctx=rAA2&sessionid=a722 HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=&redirect_uri=https%3A%2F%2Fvscode.dev%2Fredirect&state=http%3A%2F%2F127.0.0.1%3A52308%2Fcallback?nonce=gAxJh3e1mX%2FMQEk4ALy8vA%3D%3D&prompt=select_account
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he-IL;q=0.8,he;q=0.7
Cookie: x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA|NoExtension; esctx=AQABggAA; brcap=0; ESTSSSOTILES=1; AADSSOTILES=1; flight-githubsi=true; flight-msaoauth2=true; ESTSLOGOUTREDIRECT=MDtodHRnVl; CCState=RWhPQ==; MSFPC=GUID=5579137f4e774a59a7ac041309da3e50&HASH=5579&LV=202212&V=4&LU=1670386001812; wlidperf=FR=L&ST=1672437674796; ESTSSC=10; ESTSWCTXFLOWTOKEN=; buid=0.ARcA3ljRgAe1U0CUfDWmaRZyBpV3sATbjRpGu-4C-eG_e0YXABY.AQABAAEAAAD--DLA3VO7QrddgJg7WevrvZCbEbJ7rJkOTORNxbjQa5wIqU5Lphbp54DRrUb3zLR2tT3DIVd8nvMC-xLIb328mbvmqvOB-1S8mLUFRF5IeUVwV6egvo61Lr6crNVE8AgD3z4wEzGZBdTe2nu5tDh5o-lUOK3BHfupnt5JZSm0HjVoBTgl7TGFCAtDyITKSt4gAA; fpc=AgA-3I_Y53FLnIN5-249YjT_SEScAQAAAIYtXdsOAAAADmKToAEAAACbLV3bDgAAAHkQkgcBAAAAgy1d2w4AAAA
HTTP/1.1 302 Found Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Location: https://vscode.dev/redirect?code=&state=http%3a%2f%2f127.0.0.1%3a52308%2fcallback%3fnonce%3d%3d%3d&session_state=a7ff0158-6c2c-4eb1-aef4-97faed707922
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
x-ms-request-id: 2508d35a-0b75-4990-9527-c8e426d9b500
x-ms-ests-server: 2.1.14357.8 - WUS2 ProdSlices
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: ESTSAUTHPERSISTENT=; domain=.login.microsoftonline.com; expires=Fri, 21-Apr-2023 00:49:35 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=0.ARcA3ljRgAe1U0CUfDWmaRZyBkNkvK5tmcJFkPA4j_lvqlYXABY.AgABAAQAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P-JJzDcaqNRHzR-kJk3VMeK2pEuJDEfM3QuCQu0aXZBJz46eGyuUSjvOl2jBhYDLDzwn47LNcE6BQ; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=; path=/; secure; SameSite=None
Set-Cookie: ch=FmIhCvZWlU5fGntnvl2Kjjq-cswYX3cFhTZzgTeNyng; domain=.login.microsoftonline.com; expires=Fri, 21-Apr-2023 00:49:35 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=10; expires=Fri, 21-Apr-2023 00:49:35 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=0.ARcA3ljRgAe1U0CUfDWmaRZyBkNkvK5tmcJFkPA4j_lvqlYXABY.AQABAAEAAAD--DLA3VO7QrddgJg7WevroT55pFFtijvbLSmobbwo4UP1kUztbRcBxCMz5sqJmo51LCZQt8FdZEeQXumW6CdF_lQolTOfT2uNn7lnrrJmlKKS-V0yM5Eobl5rl1NmhOQoyCX3HupbnBxi8BBwNNcIj6t1f2Yb48bI_wOHKhUk4bUZejHJriGgackrlfc33tggAA; expires=Mon, 20-Feb-2023 00:49:35 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: CCState===; domain=.login.microsoftonline.com; expires=Tue, 31-Jan-2023 00:49:35 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=AgA-3I_Y53FLnIN5-249YjT_SEScAQAAAIYtXdsOAAAADmKToAEAAACbLV3bDgAAAGMhd2QBAAAAny1d2w4AAAA; expires=Mon, 20-Feb-2023 00:49:35 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Date: Sat, 21 Jan 2023 00:49:35 GMT
Content-Length: 1022
Object moved to here.
POST https://login.microsoftonline.com/common/oauth2/token?api-version=1.0 HTTP/1.1 Accept: application/json, text/plain, / Content-Type: application/x-www-form-urlencoded Accept-Charset: utf-8 client-request-id: f868af5a-f389-4ec0-b7b4-8495b5b184d8 return-client-request-id: true x-client-SKU: Node x-client-Ver: 0.2.3 x-client-OS: win32 x-client-CPU: x64 User-Agent: axios/0.21.4 Content-Length: 1058 host: login.microsoftonline.com Connection: close
grant_type=refresh_token&scope=openid&client_id=aeb56&resource=https%3A%2F%2Fmanagement.core.windows.net%2F&refresh_token=
HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" client-request-id: f868af5a-f389-4ec0-b7b4-8495b5b184d8 x-ms-request-id: 3530e18a-230b-4f51-b4fa-070e65949700 x-ms-ests-server: 2.1.14357.8 - EUS ProdSlices x-ms-clitelem: 1,0,0,140.7506, Set-Cookie: fpc=; expires=Mon, 20-Feb-2023 00:49:36 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Sat, 21 Jan 2023 00:49:36 GMT
Connection: close
Content-Length: 5561
{"token_type":"Bearer","scope":"user_impersonation","expires_in":"3804","ext_expires_in":"3804","expires_on":"1674265981","not_before":"1674261876","resource":"https://management.core.windows.net/","access_token":"eyJ0eXAiOiJKnTd9avg","refresh_token":"0.ARcA3ljRgAe1U0CUfD6IjEuMCJ9."}
GET https://management.azure.com/tenants?api-version=2016-06-01 HTTP/1.1 content-type: application/json; charset=utf-8 accept-language: en-US x-ms-client-request-id: 12fbad2576660781
authorization: Bearer eyJ0eXAiOiJKV1QWiqSqNUHwnqHANoGnTd9avg
user-agent: @azure/arm-subscriptions/3.1.2 ms-rest-azure-js/2.1.0 ms-rest-js/2.6.0 Node/v16.14.2 OS/(x64-Windows_NT-10.0.20348)
cookie:
Accept: /
Accept-Encoding: gzip,deflate
Host: management.azure.com
Connection: close
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 x-ms-ratelimit-remaining-tenant-reads: 11999 x-ms-request-id: 0bce750c-e173-41ef-bcf8-3693c2a71d2e x-ms-correlation-request-id: 0bce750c-e173-41ef-bcf8-3693c2a71d2e x-ms-routing-request-id: EASTUS:20230121T004937Z:0bce750c-e173-41ef-bcf8-3693c2a71d2e Date: Sat, 21 Jan 2023 00:49:36 GMT Connection: close Content-Length: 221
{"value":[{"id":"/tenants/80d15206","tenantId":"80d206"},{"id":"/tenants/b6d4a01","tenantId":"b6d4a01"}]}