azure-sdk-for-net: [BUG] - AAD Guest account with DeveloperTool=VisualStudio - Login failed for user '' (Microsoft.Azure.Services.AppAuthentication using AzureServiceTokenProvider )

Describe the bug When using AAD Guest Account (home tenant different then azure subscription tenant) to authenticate to SQL Server using the default constructor AzureServiceTokenProvider() or AzureServiceTokenProvider(“RunAs=Developer; DeveloperTool=VisualStudio”) getting error: Login failed for user '<token-identified principal>'.

When overriding AzureServiceTokenProvider connection string to use RunAs=Developer; DeveloperTool=AzureCli - the issue is gone. Assuming the default constructor is using RunAs=Developer; DeveloperTool=VisualStudio - as this gives same connection problems.

Looking at the access tokens generated for each mechanism, the working token has attributes

  • altsecid
  • email
  • home_oid
  • idp
  • rh

The non working token is missing all the above and has"uti". Interesting also, each has different OIDs… the bad token OID doesnt even exist as user in the directory. The good OID is the proper id for the guest user.

This same issue is not present when using same library to access Azure Keyvault… only reproducable for Azure SQL Server

Expected behavior Authentication works for VisualStudio authentication same as CLI. Confirmed good using SSMS (using Universal with MFA with same guest user). NOTE: SSMS v.17 does not work with guest accounts only v18+

Actual behavior (include Exception or Stack Trace) Login failed for user ‘<token-identified principal>’

To Reproduce Steps to reproduce the behavior (include a code snippet, screenshot, or any additional information that might help us reproduce the issue)

  1. Grant group based AAD access to an Azure SQL Server
  2. Login to Visual Studio 2019 with Azure Service Authentication
  3. Connect to SQL using Microsoft.Azure.Services.AppAuthentication to get Access Token

Environment:

  • Microsoft.Azure.Services.AppAuthentication 1.5.0
  • Windows 10.0.17763
  • .NET CORE 3.1.3.1
  • Visual Studio 2019 16.6.2 (ASA Service Provider - 1.0)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 28 (9 by maintainers)

Most upvoted comments

I have created a bug internally on VS to enable all tokens returned for all tenants when requesting a token to have a similar experience as AzureCli.

+3
anaismiller on Mar 26, 2021

@anaismiller thank you very much, but VSCode is affected as well. Can we create a ticket for it too?

+1
ericsampson on Mar 26, 2021

Yes, this is what I have seen as well. Visual Studio is picking up the “default” tenant for guest accounts which is not our corporate directory. I’ve worked around this with a little helper class

public static class TokenCredentialFactory
{
    public static TokenCredential Get(IHostEnvironment env, string tenantId) =>
        env.IsDevelopment()
            ? new DefaultAzureCredential(new DefaultAzureCredentialOptions
            {
                SharedTokenCacheTenantId = tenantId,
                VisualStudioTenantId = tenantId
            })
            : new DefaultAzureCredential();
}

using this has resolved the issue for our developers with guest accounts

+1
engenb on Mar 25, 2021

cc @anaismiller @crmann1 , bumping this so that the bot doesn’t close it out. Any updates? Thanks

+1
ericsampson on Mar 12, 2021

The reason I say these things are a workaround is that this problem doesn’t exist when using the Azure CLI token service. It’s just the VS token service that has this issue.

+1
ericsampson on Dec 4, 2020
Read more comments on GitHub
← azure-sdk-for-net: BlobLeaseClient.GetBlobClient returns "The value for one of the HTTP headers is not in the correct format" exception
azure-sdk-for-net: [BUG] 502 (Bad gateway) when using CheckExistence() for Event Grid →