1

This is a continuation of the ticket Restrict Access with Azure Managed Identity in .NET Core Web API where I configured a .NET Core Web API to secured with user-assigned Azurre Managed Identity. This Web API has been deployed as https://epd-api.azurewebsites.net.

Now I have a locally running/debugging .NET Core WebApp trying to access the managed identity token for above azue deployed Web API as below.

 string userAssignedClientId = "<<managed-identity clientid>>"; 
    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId=userAssignedClientId }); 
    var accessToken = await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://epd-api.azurewebsites.net/.default" }));
 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken.Token);

It's breaking at line 'credential.GetTokenAsync()' with below exceptionn message.

AuthenticationFailedException: Azure CLI authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azclicredential/troubleshoot ERROR: The command failed with an unexpected error. Here is the traceback: ERROR: Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://epd-api.azurewebsites.net was not found in the tenant named DXC Production. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b537e8c2-c1a8-44ff-a363-d162cd15e101\r\nCorrelation ID: 507df083-138c-4848-b446-40631732a181\r\nTimestamp: 2022-09-13 06:52:22Z","error_codes":[500011],"timestamp":"2022-09-13 06:52:22Z","trace_id":"b537e8c2-c1a8-44ff-a363-d162cd15e101","correlation_id":"507df083-138c-4848-b446-40631732a181","error_uri":"https://login.microsoftonline.com/error?code=500011"} Traceback (most recent call last):

Once I deployed my Web APP in Azure, the error message is different as below.

Connection ID "15636497907840976997", Request ID "80000866-0000-d900-b63f-84710c7967bb": An unhandled exception was thrown by the application.

Exception: Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 500 (Internal Server Error)

Content:

Headers: Date: Tue, 13 Sep 2022 07:39:11 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> Azure.RequestFailedException: Service request failed. Status: 500 (Internal Server Error)

Content:

Headers: Date: Tue, 13 Sep 2022 07:39:11 GMT Server: Kestrel Transfer-Encoding: chunked X-CORRELATION-ID: REDACTED Content-Type: application/json; charset=utf-8

at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage) at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at ManagedIdentityWeb.Pages.IndexModel.OnGetAsync() in C:\Users\jmathews4\Source\Repos\ManagedIdentityAPI\ManagedIdentityWeb\Pages\Index.cshtml.cs:line 36 at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.NonGenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT`1.ProcessRequestAsync()

Any clue here for troubleshoot?

Jaish Mathews
  • 766
  • 1
  • 9
  • 25

1 Answers1

1

It's trying to use the AZ CLI there and its refresh token has expired. Run az login again in the command line and try again.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Error message has changed after a fresh az login. I updated it in above original thread. – Jaish Mathews Sep 13 '22 at 06:59
  • Hmm, it could be that you are signed in to wrong tenant in AZ CLI. Try specifying the tenant ID with `az login -t id-here` – juunas Sep 13 '22 at 07:08
  • To get rid of this CLI, I deployed the Web App also in Azure. Now error message is different and very general. I updated above loop with this additional info. Trying to find some specific info in it. – Jaish Mathews Sep 13 '22 at 07:46
  • Well, we can't really help for a 500 error I think :\ That's an error in Microsoft's API endpoint. – juunas Sep 13 '22 at 09:06
  • Error not there once disabling managed identity security and token call, then directly calling Web API endpoints. Is there a way we can find whether token access call reached to API side or it's breaking from Web UI side itself before reaching Web API? – Jaish Mathews Sep 15 '22 at 15:22
  • I have the same error from the Azure Portal UI – Laurent Oct 04 '22 at 18:56