Azure-docs: AADSTS50105 access denied and certificate fallback
Hi,
I would like to know if this is expected behavior as per documentation:
The user isn’t assigned a role in the Azure AD cluster application. Thus, Azure AD authentication fails on Service Fabric cluster. Service Fabric Explorer falls back to certificate authentication.
During my tests I log in to Service Fabric Cluster Explorer endpoint with AAD account not added to AAD application and received AADSTS50105 access denied error, which is expected. However then, there should be certificate authentication fallback which is not happening.
I have both AAD apps configured properly and user certificate added to the key vault.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 51489a2b-fef9-86d8-117e-200d81cd0694
- Version Independent ID: e371c257-18cb-aead-707a-3b1eed0c30a8
- Content: Set up Azure Active Directory for Service Fabric client authentication
- Content Source: articles/service-fabric/service-fabric-cluster-creation-setup-aad.md
- Service: service-fabric
- GitHub Login: @athinanthny
- Microsoft Alias: atsenthi
mjazwiecki
All 7 comments
@mjazwiecki Thanks for the Comment. We are actively investigating and will get back to you soon.
SadiqhAhmed-MSFT
on 5 Nov 2019
any news on this?
mjazwiecki
on 7 Nov 2019
@mjazwiecki We are still awaiting information from the back-end team on this. We will keep the thread updated once we have more information.
shashishailaj
on 12 Nov 2019
@mjazwiecki Hope you are good. We are sorry that it is taking time for getting an answer for you . However I just wanted to ask you if you have tried to check the behavior in a cookie isolated session in any of the browsers (Inprivate,Incognito etc.) ? I am asking this because if for any reason the cert auth prompt does not come or have been ignored first time , it would not prompt again and it will fail. Could you please check the same once ?
shashishailaj
on 22 Nov 2019
@mjazwiecki I have received some advice from the backend and there are a few sitations where fallback may not happen.
- If you have configured the associated AAD application to require user assignment , there will not be any fallback for a certificate validation.
- If you are running this for a linux cluster we have a known issue with dual-mode authentication and here also you may not see fallback to certificate auth.
If you are in any of the above situations , then I believe the above clarifies your query but if your setup does not confirm to any of the above issues then I think it would be due to some other issue.
Also it would be great if you could provide some information on how you are trying to logon to the service fabric cluster endpoint and which port are you targeting ->19000 or 19080 ? Please let us know and we will continue the conversation. If you have been able to fix the same , please do share your findings which can be helpful to the community
shashishailaj
on 24 Nov 2019
@shashishailaj thanks for this. I found that indeed, when user assignment is required there is no fallback to certificates, which was the main issue. Just to add - and this might be helpful for others as well - this is only the case for explorer endpoint (by default on port 19080). For client connection endpoint (default 19000) you would still be able to connect using certificates even though AAD is configured, which apparently is expected behaviour (but not well documented).
mjazwiecki
on 25 Nov 2019
@mjazwiecki Thank you for sharing the same. I would look into the documentation part and see how best the existing content can be modified to incorporate these findings .
shashishailaj
on 25 Nov 2019
Related issues
Ponant
·
3Comments
jebeld17
·
3Comments
bityob
·
3Comments
AronT-TLV
·
3Comments
JeffLoo-ong
·
3Comments