azure-sdk-for-net: Issuer validation failed. Issuer did not match.

Describe the bug When trying retrieve blob data from the azure storage I get an error

Expected behavior Being authenticated and retrieving data

Actual behavior (include Exception or Stack Trace) Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.) ErrorCode: AuthenticationFailed

In fiddler I can see: Issuer validation failed. Issuer did not match.

To Reproduce Steps to reproduce the behavior (include a code snippet, screenshot, or any additional information that might help us reproduce the issue)

environment variable: AZURE_USERNAME: {my azure ad account logged into visualstudio that does work for sqlconnections for example}

new BlobServiceClient(new Uri(configuration.GetConnectionString("AzureStorage")), new DefaultAzureCredential());

var container = blobServiceClient.GetBlobContainerClient("apk");
            

            foreach (var blob in container.GetBlobs()) //fails at .GetBlobs()

image

Environment:

  • Name and version of the Library package used:
    • Azure.Identity 1.1.1
    • Azure.Storage.Blobs 12.3.0
  • Hosting platform or OS and .NET runtime version (dotnet --info output for .NET Core projects): Windows 10 image
  • IDE and version : [e.g. Visual Studio 16.3] image

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 32 (9 by maintainers)

Most upvoted comments

@Expecho - I did not open a new issue, but I managed to solve the issue.

In my case I was using a user who had access to multiple subscriptions/tenants. I had the right user selected in Visual Studio, but I think it was defaulting to the wrong tenant.

I solved this by explicitly using the AzureCliCredential() and Azure CLI to login to the exact tenant. You could probably also do something similar by using EnvironmentCredential()

+3
danielmackay on Jul 12, 2021

@hirejohnloveland - Try using Azure CLI to login. I’ve found I have a lot more control than when trying to leave the authentication up to visual studio.

By default the Azure CLI will not let you login to an tenant without a subscription (which is common if your tenant is only used for AAD). In that case try logging on with

az login -t myb2ctenant.onmicrosoft.com --allow-no-subscriptions
+1
danielmackay on Jan 6, 2023

@danielmackay I ended up with the same “Issuer does not match” error. I came across this issue via Google search for that error message. I was able to solve this by specifying the tenantId to the options of DefaultAzureCredential:

new DefaultAzureCredential(new DefaultAzureCredentialOptions
        {
            VisualStudioTenantId = "7e5a038c-dd78-4130-b562-f0ea12548732"
        })

There are similar options for TenantId for other auth mechanisms. Unfortunately, there’s no overarching generic TenantId option, so it must be specified for each potential auth mechanism.

Edit: There is a fallback onto env var AZURE_TENANT_ID, so you can put the following in launchSettings.json, or equivalent launch config for your project type:

{
  "profiles": {
    "web": {
      "commandName": "Project",
      // ... other stuff
      "environmentVariables": {
        "AZURE_TENANT_ID": "7e5a038c-dd78-4130-b562-f0ea12548732"
      }
    }
  }
}
+1
ascott18 on Jan 13, 2022

I see this ticket is closed, but is the issue actually resolved?

I am facing this now using:

  • Azure.Identity 1.4.0
  • Azure.Storage.Blobs (12.9.1)

I have tried setting my user both though VS -> Tools -> Options -> Azure Service Authentication, and via an AZURE_USERNAME environment variable, none of which has worked. The error I am getting is:

[2021-07-04T10:14:54.086Z] Executed 'ListFiles' (Failed, Id=554faeca-1e68-4f7d-b8e6-75ad6e76d03c, Duration=3565ms)
[2021-07-04T10:14:54.088Z] System.Private.CoreLib: Exception while executing function: ListFiles. Azure.Storage.Blobs: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:bee61514-501e-00b7-29bd-700f62000000
Time:2021-07-04T10:15:12.7427965Z
[2021-07-04T10:14:54.089Z] Status: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)
[2021-07-04T10:14:54.092Z] ErrorCode: InvalidAuthenticationInfo
[2021-07-04T10:14:54.093Z]
[2021-07-04T10:14:54.093Z] Additional Information:
[2021-07-04T10:14:54.094Z] AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
[2021-07-04T10:14:54.095Z]
[2021-07-04T10:14:54.095Z] Content:
[2021-07-04T10:14:54.096Z] <?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:bee61514-501e-00b7-29bd-700f62000000
Time:2021-07-04T10:15:12.7427965Z</Message><AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail></Error>
[2021-07-04T10:14:54.097Z]
[2021-07-04T10:14:54.098Z] Headers:
[2021-07-04T10:14:54.099Z] Server: Microsoft-HTTPAPI/2.0
[2021-07-04T10:14:54.100Z] x-ms-request-id: bee61514-501e-00b7-29bd-700f62000000
[2021-07-04T10:14:54.101Z] x-ms-error-code: InvalidAuthenticationInfo
[2021-07-04T10:14:54.102Z] WWW-Authenticate: REDACTED
[2021-07-04T10:14:54.106Z] Date: Sun, 04 Jul 2021 10:15:12 GMT
[2021-07-04T10:14:54.107Z] Content-Length: 402
[2021-07-04T10:14:54.108Z] Content-Type: application/xml
[2021-07-04T10:14:54.109Z] .

Can we reopen this ticket or should I create a new one?

+1
danielmackay on Jul 4, 2021
Read more comments on GitHub
← azure-sdk-for-net: InvalidAudience when sending message to service bus from Azure Function.
azure-sdk-for-net: KeyVault - SecretClient.GetSecret(string key) return Status: 401 (Unauthorized) →