[BUG] Updating to Azure.Identity to 1.13.0 and Microsoft.Identity.Client to 4.65.0/4.66.1 fails with invalid_client #46762
Labels
Azure.Identity
Client
This issue points to a problem in the data-plane of the library.
needs-author-feedback
Workflow: More information is needed from author to address the issue.
Azure.Identity to 1.13.0 and Microsoft.Identity.Client to 4.65.0/4.66.1
Updating to Azure.Identity to 1.13.0 and Microsoft.Identity.Client to 4.65.0/4.66.1 fails with invalid_client
Describe the bug
We started getting this AuthenticationFailed Exception that the client application is missing Service principal in 1P AAD tenant even though we are actually passing a different tenantId where the app is created to the TokenCredential. Not sure why it is looking for 1P AAD tenant and complaining that the Service Principal does not exist.
Azure.Identity.AuthenticationFailedException: ClientCertificateCredential authentication failed:
---> MSAL.NetCore.4.65.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000229: The client application is missing service principal in the tenant f8cdef31-a31e-4b4a-93e4-5f571e91255a. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119 Trace ID: adbf2a0d-cf9c-4779-b8e4-5e986a530f00 Correlation ID: 70425c48-461c-4720-b354-c12eeda72c5d Timestamp: 2024-10-22 18:44:50Z
...
at Azure.Identity.ClientCertificateCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
StatusCode: 401
ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000229: The client application fe81293a-4ae8-47a7-ab18-4da55488b2bc is missing service principal in the tenant f8cdef31-a31e-4b4a-93e4-5f571e91255a. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119 Trace ID: adbf2a0d-cf9c-4779-b8e4-5e986a530f00 Correlation ID: 70425c48-461c-4720-b354-c12eeda72c5d Timestamp: 2024-10-22 18:44:50Z","error_codes":[7000229],"timestamp":"2024-10-22 18:44:50Z","trace_id":"adbf2a0d-cf9c-4779-b8e4-5e986a530f00","correlation_id":"70425c48-461c-4720-b354-c12eeda72c5d","error_uri":"https://login.microsoftonline.com/error?code=7000229"}
Headers: Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
client-request-id: 70425c48-461c-4720-b354-c12eeda72c5d
x-ms-request-id: adbf2a0d-cf9c-4779-b8e4-5e986a530f00
x-ms-ests-server: 2.1.19184.6 - WEULR1 ProdSlices
x-ms-clitelem: 1,7000229,0,,
x-ms-srs: 1.P
X-XSS-Protection: 0
Set-Cookie: fpc=AruZXyKpADZGp5Fk_LL_iohhQeiFAQAAAKHpqd4OAAAA; expires=Thu, 21-Nov-2024 18:44:50 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Tue, 22 Oct 2024 18:44:49 GMT
Expected behavior
There has been no code except for nuget version updates, and it started failing with this error. The app is not in 1P tenant, but in the tenant that we are explicitly passing. We are calling
new CustomClientCertificateCredential(
AppHomeTenantId,
ApplicationId,
Cert.X509Certificate,
"https://management.azure.com/.default",
new ClientCertificateCredentialOptions
{
AuthorityHost = new Uri("https://login.microsoftonline.com/common"),
AdditionallyAllowedTenants = { "*" },
SendCertificateChain = true
});
Expected behavior : successfully acquire token
Actual behavior
AuthenticationFailed Exception
Reproduction Steps
new CustomClientCertificateCredential(
AppHomeTenantId,
ApplicationId,
Cert.X509Certificate,
"https://management.azure.com/.default",
new ClientCertificateCredentialOptions
{
AuthorityHost = new Uri("https://login.microsoftonline.com/common"),
AdditionallyAllowedTenants = { "*" },
SendCertificateChain = true
});
Environment
AAD PROD
The text was updated successfully, but these errors were encountered: