Azure-sdk-for-net: [BUG] DefaultAzureCredential failed to retrieve a token from the included credentials

Created on 20 Nov 2020  路  3Comments  路  Source: Azure/azure-sdk-for-net

Describe the bug
After switching from Azure.Identity 1.2.0 to Azure.Identity 1.3.0 I get the following error while debugging my ASP .NET Core 3.1.8 Application:

DefaultAzureCredential failed to retrieve a token from the included credentials.
- ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
- SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a developer tool that supports Azure single sign on.
- Process "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\b1hwzg3d.j4s\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'AADSTS500011: The resource principal named https://database.windows.net/default was not found in the tenant named X. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Timestamp: 2020-11-20 12:14:23Z'

While using Azure.Identity 1.2.0 I had already issues with following bug: https://github.com/Azure/azure-sdk-for-net/issues/14691

Now what I am doing:

I switched our application and resources for the use of managed identities. For debugging I am using the "Azure Service Authentication" option in Visual Studio 2019. The error occurs not in a deterministic timeframe. Sometimes my application is working for about an hour without problems and sometimes the error occurs after few minutes.

This is a snippet where I get the exception:

            if(Database.GetDbConnection() is Microsoft.Data.SqlClient.SqlConnection conn)
            {
                var tokenCredential = new DefaultAzureCredential(new DefaultAzureCredentialOptions() 
                { 
                    ExcludeAzureCliCredential = true, 
                    ExcludeVisualStudioCodeCredential = true, 
                });

                var context = new TokenRequestContext(new[] { "https://database.windows.net/default" });
                var tokenResponse = tokenCredential.GetToken(context);
                conn.AccessToken = tokenResponse.Token;
            }

I experiment with the DefaultAzureCredentialOptions. But it makes no difference if I use the DefaultAzureCredentialOptions or not:

       if(Database.GetDbConnection() is Microsoft.Data.SqlClient.SqlConnection conn)
            {
                var tokenCredential = new DefaultAzureCredential();

                var context = new TokenRequestContext(new[] { "https://database.windows.net/default" });
                var tokenResponse = tokenCredential.GetToken(context);
                conn.AccessToken = tokenResponse.Token;
            }

After a while my application crashes.

Environment:

  • Azure.Identity 1.3.0
  • Windows 10 20H2 with .NET Core 3.1.8
  • Visual Studio 2019 Version 16.8.2
Azure.Identity Client customer-reported needs-team-attention question
Source
picture AliGuemues

All 3 comments

Thank you for your feedback. Tagging and routing to the team member best able to assist.

jsquire picture jsquire on 20 Nov 2020
👍1

@AliGuemues thanks for filing this issue. Sorry your having this trouble. Looking at the error message it seems that the VisualStudioCredential is failing with the following error which is complaining about the scope that you've passed in "https://database.windows.net/default". 

Process "C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\b1hwzg3d.j4s\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'AADSTS500011: The resource principal named https://database.windows.net/default was not found in the tenant named X. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant'

I believe the scope you meant to specify is "https://database.windows.net/.default" (note the . before default). If you update the scope do you still see authentication failures?

schaabs picture schaabs on 21 Nov 2020
👍1

@schaabs thanks for your quick response. I changed the scope of the URL like you mentioned and it seems to work. I tested my application for about an hour without any problems.

So its my fault to check the URL of the scope. But I am wondering about why this was working with the wrong scope URL for quite of time and failed in a non deterministic timeframe. I set breakpoints on the code and their was no exception for let me guess hundred times and then the exception occured.

Do you have any explanation for this behaviour?

Greetings

AliGuemues picture AliGuemues on 22 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

realrubberduckdev picture realrubberduckdev  路  3Comments
yhuangf picture yhuangf  路  3Comments
TarekMansour picture TarekMansour  路  3Comments
subbartt picture subbartt  路  3Comments
cannehag picture cannehag  路  4Comments