Search code examples
visual-studio-2022azure-service-fabricdefaultazurecredential

Local Debug for Service Fabric application using DefaultAzureAuthentication in VS throws exception

We are trying to create a local environment for our application based on the guidelines here : https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/local-development-service-principal?tabs=azure-portal%2Cvisual-studio%2Ccommand-line

In order to authenticate to services , we are trying to use DefaultAzureCredentials() .

  • But a standalone DefaultAzureCredential was giving us the following exception

    (Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot\r\n- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot\r\n- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot\r\n- ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.\r\nStatus: 400 (Bad Request)\r\n\r\nContent:\r\n{\"error\":\"invalid_request\",\"error_description\":\"Identity not found\"}\r\n\r\nHeaders:\r\nx-ms-request-id: 1f8909d1-e628-4d91-896b-50166142786a\r\nContent-Length: 68\r\nContent-Type: application/json; charset=utf-8\r\nDate: Tue, 19 Nov 2024 19:05:50 GMT\r\nServer: IMDS/150.870.65.1475\r\n\r\n- Visual Studio Token provider can't be accessed at C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\.IdentityService\\AzureServiceAuth\\tokenprovider.json\r\n- Azure CLI authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot Traceback (most recent call last):\r\n  File \"runpy.py\", line 196, in _run_module_as_main\r\n  File \"runpy.py\", line 86, in _run_code\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/__main__.py\", line 39, in <module>\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/__init__.py\", line 917, in get_default_cli\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/azlogging.py\", line 30, in <module>\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/commands/__init__.py\", line 25, in <module>\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\azure/cli/core/extension/__init__.py\", line 18, in <module>\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\knack/config.py\", line 40, in __init__\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\knack/util.py\", line 115, in ensure_dir\r\n  File \"D:\\a\\_work\\1\\s\\build_scripts\\windows\\artifacts\\cli\\Lib\\site-packages\\knack/util.py\", line 112, in ensure_dir\r\n  File \"os.py\", line 225, in makedirs\r\nPermissionError: [WinError 5] Access is denied: 'C:\\\\WINDOWS\\\\system32\\\\config\\\\systemprofile\\\\.azure'\r\n- Az.Accounts module >= 2.2.0 is not installed.\r\n- Azure Developer CLI could not be found. ---> System.AggregateException: Multiple exceptions were encountered while attempting to authenticate. ---> Azure.Identity.CredentialUnavailableException: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)\r\n   at Azure.Identity.EnvironmentCredential.<GetTokenImplAsync>d__12.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Azure.Identity.EnvironmentCredential.<GetTokenAsync>d__11.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at Azure.Identity.DefaultAzureCredential.<GetTokenFromSourcesAsync>d__14.MoveNext()\r\n   --- End of inner exception stack trace ---\r\n   --- End of inner exception stack trace ---\r\n   at Azure.Identity.DefaultAzureCredential.<GetTokenFromSourcesAsync>d__14.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Azure.Identity.DefaultAzureCredential.<GetTokenImplAsync>d__12.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)\r\n   at Azure.Identity.DefaultAzureCredential.<GetTokenImplAsync>d__12.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Azure.Identity.DefaultAzureCredential.<GetTokenAsync>d__11.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at System.Runtime.CompilerServices.ValueTaskAwaiter`1.GetResult()\r\n   at Microsoft.Azure.Advisor.Common.Providers.AzureMSALAuthenticationProvider.<GetAccessTokenUtility>d__20.MoveNext() in C:\\One\\EngSys\\EngSys-AzExpertBE\\src\\AzeCommon\\Providers\\AzureMSALAuthenticationProvider.cs:line 312").

  • tried to use DefaulAzureCredential with credential option that got me a bit far ((auth failed for MFA here)  (

    Azure.Identity.AuthenticationFailedException: UsernamePasswordCredential authentication failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '2746ea77-4702-4b45-80ca-3c97e680e8b7'. Trace ID: a183be80-9b37-4d4b-b861-e7b104930d00 Correlation ID: 498902ed-d264-42b7-8e97-60001298377c Timestamp: 2024-11-18 23:03:41Z The returned error contains a claims challenge. For additional info on how to handle claims related to multifactor authentication, Conditional Access, and incremental consent, see https://aka.ms/msal-conditional-access-claims. If you are using the On-Behalf-Of flow, see https://aka.ms/msal-conditional-access-claims-obo for details.\nSee the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/usernamepasswordcredential/troubleshoot ---> Microsoft.Identity.Client.MsalClaimsChallengeException: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '2746ea77-4702-4b45-80ca-3c97e680e8b7'. Trace ID: a183be80-9b37-4d4b-b861-e7b104930d00 Correlation ID: 498902ed-d264-42b7-8e97-60001298377c Timestamp: 2024-11-18 23:03:41Z The returned error contains a claims challenge. For additional info on how to handle claims related to multifactor authentication, Conditional Access, and incremental consent, see https://aka.ms/msal-conditional-access-claims. If you are using the On-Behalf-Of flow, see https://aka.ms/msal-conditional-access-claims-obo for details.\r\n   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)\r\n   at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)\r\n   at Microsoft.Identity.Client.OAuth2.OAuth2Client.<ExecuteRequestAsync>d__12`1.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__11.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__11.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatch Info.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<SendTokenRequestAsync>d__26.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.<GetTokenResponseAsync>d__6.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n   at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.<ExecuteAsync>d__5.MoveNext()\r\n--- End of stack trace from previous location where exception was

    )

  • tried to use the normal VisualStudioCredential () was initially getting a file not found exception for tokenprovider.json file but it seemed SF app was looking in windows32 instead of %userlocal% to get the file. so copied the file over and re-ran getting me a permission denied to access the file ( was not able to see a way to direct SF app to look for my %userlocal% path) (

    Azure.Identity.AuthenticationFailedException: VisualStudioCredential authentication failed: Access to the path 'C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\.IdentityService\\AzureServiceAuth\\tokenprovider.json' is denied. ---> System.UnauthorizedAccessException: Access to the path 'C:\\WINDOWS\\system32\\config\\systemprofile\\AppData\\Local\\.IdentityService\\AzureServiceAuth\\tokenprovider.json' is denied.\r\n   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\r\n   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)\r\n   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)\r\n   at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)\r\n   at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost)\r\n   )

    ( PS: for step 1 and 2 : i tried to set Env_variables of AZURE_USERNAME, AZURE_PASSWORD,AZURE_TENANT_ID)

    Also have VS starting with Azure Auth set.

Any suggestions on how we can use DefaultAzureAuthentication() correctly or we could be going wrong?

Solution

  • The issue with this was that it was a Local Service fabric application and Service Fabric realm doesnot recognize beyond the SfAppCluster level, hence was not able to pick up the Visual studio credentials

    What we did was to go the service principal route and set our environment variables ( https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/local-development-service-principal?tabs=azure-portal%2Cwindows%2Ccommand-line )

    And placing the S_+NI cert on the SfAppCluster folder localy