Azure-sdk-for-net: AppAuthentication 1.1.0-preview: No Connection string specified

Created on 11 Dec 2017 · 32Comments · Source: Azure/azure-sdk-for-net

We're currently using this library to access an Azure KeyVault in an ASP.NET Core 2.x app. For now only in development mode. So the access token is obtained through Azure CLI, behind the scenes.

This seems to work fine most of the time, but at least a couple of times a week it throws the following exception:

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/00461629-1df0-4d1c-9464-0d684ec042fb. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/00461629-1df0-4d1c-9464-0d684ec042fb. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/00461629-1df0-4d1c-9464-0d684ec042fb. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Users\maike\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/00461629-1df0-4d1c-9464-0d684ec042fb. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. Process took too long to return the token.

The last part seems to describe the problem: Azure CLI seems to have taken too long to return the token. When restarting the application it works fine (because Azure CLI probably caches the token and returns much quicker).

Could the timeout be extended by default, or at least be configurable? A retry mechanism would also work.

We implemented the following workaround. The following snippets are taken from an ASP.NET Core 2.x app, where we add the KeyVault as part of the app configuration (through the ConfigurationBuilder class):

Old:
``` c#
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
builder.AddAzureKeyVault(keyVaultUrl, keyVaultClient, new DefaultKeyVaultSecretManager());

New:
``` c#
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=Developer; DeveloperTool=AzureCli");
var keyVaultClient = new KeyVaultClient(
    new KeyVaultClient.AuthenticationCallback(GetToken));
builder.AddAzureKeyVault(keyVaultUrl, keyVaultClient, new DefaultKeyVaultSecretManager());

// Try 3 times and throw exception if 3rd time was not successfull.
async Task<string> GetToken(string authority, string resource, string scope)
{
    for (var i = 0; i < 2; i++)
    {
        try
        {
            return await azureServiceTokenProvider.KeyVaultTokenCallback(authority, resource, scope).ConfigureAwait(false);
        }
        catch (AzureServiceTokenProviderException) { }
    }

    return await azureServiceTokenProvider.KeyVaultTokenCallback(authority, resource, scope).ConfigureAwait(false);
}

AppAuthentication customer-reported needs-team-attention

Source

nphmuller

👍5

Most helpful comment

Hi friends,
I have little ability to write fancy workaround code (my head is not there), but by what you said above, I harkened back to some old advice of:
In the tool bar at the top of your VS 2017 program go to: Tools, Options,
Azure Service Authentication, Account Selection, click the drop arrow on the right
of the Microsoft banner with your account name on it, click your account pop-up again...hard(really
insist on it), and that worked.
I really feel like a "just fix it" here might be just fine for a lot of folks. Don't get me wrong, you girls(guys) know it better. Boy did I just want it to work (phew!) Thanks :)

jmurphy35 on 16 Apr 2019

👍50 🎉16 ❤10 😄10 🚀7

All 32 comments

Additionally I noticed that GetToken() in the New sample is called twice. Shouldn't AzureServiceTokenProvider call it once, and cache the result?

nphmuller on 11 Dec 2017

👍2

@nphmuller Hi, have you've resolved this issue?

Bubeee on 8 May 2018

@bubeee Still using the retry loop. Haven’t changed it since creating this issue.

nphmuller on 9 May 2018

@nphmuller hi,

Do you run in this issue in visual studio? If yes, be sure, that you authenticated in it with appropriate account.
If no, I've managed to resolve that (adding Functions which consumed KeyVault to MSI https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity and then - provision access to KeyVault in its Access Policies).

Also, there is issue which I've created, related to some other issue, but from this area.
https://github.com/Azure/azure-functions-host/issues/2852

Hope it'll help somehow..

Bubeee on 19 May 2018

@Bubeee Yes, I'm debugging through Visual Studio, but I use Azure CLI for the authentication. For now we only load the secrets during development time with the AzureServiceTokenProvider class. Staging and Production values we populate in our CI/CD environment for now.

So this issue is only during development time, which means MSI is not applicable.

Thanks for the help though. Appreciate it! :)

nphmuller on 22 May 2018

Hi
Even I am facing same problem... Not able to rectify the problem
-$exception {Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/.... Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/.
Exception Message: Tried to get token using Visual Studio. Access token could not be acquired.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/.
Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. ERROR: Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'btfaa..........'.rnTrace ID: 65fbcb0b-34f7-48b9-96b4-8089993b5b00rnCorrelation ID: 181825e7-9625-4785-ae51-814d47778e31rnTimestamp: 2018-09-14 04:05:30Z","error_codes":[50076],"timestamp":"2018-09-14 04:05:30Z","trace_id":"65fbcb0b-34f7-48b9-96b4-8089993b5b00","correlation_id":"181825e7-9625-4785-ae51-814d47778e31","suberror":"basic_action"}

nileshsawant80 on 14 Sep 2018

We have just started receiving the AzureServiceTokenProviderException when debugging a service fabric application.

If we run the code within a unit test, it works just fine. We're pretty sure absolutely nothing has changed to cause this problem. Any suggestions?

jackbond on 3 Oct 2018

This seems to be a credential issue. Your MSI setup depends on your AAD credentials. Make sure you can audit what user exactly is used to request the token via the Azure CLI.
Also I'm thinking is this supported in .NetCore?

simonbourdeau on 17 Oct 2018

Hi friends!
I had the same issue. We created a new tenant of Active Directory and create a key vault in this tenant. We also create the application, and added this application in access policies of key vault. So, I had that exception. I fixed it changing account tenant in Visual Studio, because it Microsoft.Azure.Services.AppAuthentication uses the Visual Studio account credentials for access to service.

illialarka on 22 Mar 2019

jmurphy35 on 16 Apr 2019

👍50 🎉16 ❤10 😄10 🚀7

I cannot believe this actually worked for me.
I did this on Visual Studio 2019 btw.

RaduVulpescu on 12 Jun 2019

I am having the same error but I am confused because when I run the web app locally I am able to access the key vault, retrieve my connection string and connect to my database. Then I'll publish to azure and the same code gives that whole "Tried the following 3 methods to get an access token, but none of them worked." error message. What could make it work locally but not azure? Any ideas?

davidlsharp1 on 28 Jun 2019

👍2

Why did this just work for me? I'm happy it did, but I didn't change any settings so I don't understand why it worked lol.

coffeeslayer on 13 Jul 2019

@jmurphy35 Thanks, it did the trick for me too!

swmal on 26 Jul 2019

Still 10 seconds for me with all of the above using 1.3.0

JohnGalt1717 on 14 Aug 2019

The magic click worked for me too, VS 2019. Probably refreshes the token under the covers or something

trevren11 on 4 Oct 2019

The magic trick worked for me, too! 🎉 I honestly thought there was no way it'd work. I was wrong! 😂

Cassidie on 7 Oct 2019

This worked for me too, Thanks a Ton! VS2019 V16.3.3

tmkaranraj1 on 15 Oct 2019

That worked for me too on VS2019 v16.4.0 Preview 2.0 with .NET Core 3.0

carstent2211 on 27 Oct 2019

It's magic!

Yomodo on 25 Nov 2019

Unbelievable, worked for me too 0/ using VS2019 .NET Core 2.2

WildeApps on 27 Nov 2019

I can't believe it even worked for me in VS 2019

qudiransari on 12 Dec 2019

In VS 2019, I had to sign in with a second account, select it under Tools > Options > Azure Service Authentication, then select my real account before Visual Studio fixed its behavior.

bdares on 19 Dec 2019

This magic trick worked for me too on version 1.4.0 of the package.

JackSteel97 on 17 Feb 2020

@jmurphy35 You're my hero

joecullinan on 6 Mar 2020

😄1

I cannot Believe this worked.!
Tried Relogin and logout, but didnt work. Clicking on the arrow couple of times worked!!!
So stupid lol

5-k on 24 Apr 2020

@jmurphy35 Man you saved me a lot of frustration, thanks!

serge2112 on 27 Apr 2020

Worked for me!

Iscgx on 20 May 2020

👍1

That fixed it for me too.

Boaz101 on 2 Jun 2020

https://developercommunity.visualstudio.com/content/problem/1061428/managed-service-identity-fails-in-visual-studio-20.html

Boaz101 on 23 Jul 2020

Worked! Thanks help

ParthPurani on 12 Aug 2020

Closing this out, as feedback appears to indicate that the problem has been resolved. Please feel free to reopen if you feel that there is further discussion needed.

jsquire on 12 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Synchronous CloudBlockBlob UploadFrom... ASP.NET Regression 9.3.3 → 9.4.0+ for files ≥ 256MB

deenairn · 3Comments

[FEATURE REQ] Allow clearing of AppAuthResultCache from AzureServiceTokenProvider

tomgallard · 3Comments

[QUERY] repositories in container registries

PejmanNik · 4Comments

[QUERY] Option for sending public certificate while generating the AD token for easy certificates roll-over ...

subbartt · 3Comments

Microsoft.Azure.Management.ApiManagement - create new Products programatically

TarekMansour · 3Comments