Failed to start local tunnel service. Unable to execute dev tunnel operation 'create'.

[rabwill]

Describe the bug
Failed to start local tunnel service. Unable to execute dev tunnel operation 'create'. .Tunnel service returned status code: 401 Unauthorized on F5 of an API plugin project,
Also tried to simulate in CLI:

Steps

Create new app --> API plugin with new API
F5

➜  ~ devtunnel host -p 3978 --protocol http --allow-anonymous
Tunnel service response status code: Unauthorized
Request ID: e65cfe5e-7ff9-4d12-bcc3-d0c2c45d280d
➜  ~ devtunnel host -p 3978 --protocol http --allow-anonymous
Tunnel service response status code: Unauthorized
Request ID: af46eb97-37cd-45a5-aac1-baed5817c74c

More details with --verbose

devtunnel list --verbose
Using token cache file: /Users/rabiawilliams/Library/Application Support/DevTunnels/devtunnels-tokens-github
MSAL-Cache: Initialized 'Storage'
MSAL-Cache: Reading Data
MSAL-Cache: ReadDataCore, Before reading from mac keychain service: tunnels account https://global.rel.tunnels.api.visualstudio.com/auth/github
MSAL-Cache: ReadDataCore, After reading mac keychain 0 chars service: tunnels account https://global.rel.tunnels.api.visualstudio.com/auth/github
MSAL-Cache: Got '0' bytes from file storage
Using client AppId: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
Using token cache file: /Users/rabiawilliams/Library/Application Support/DevTunnels/devtunnels-tokens-microsoft
MSAL-Cache: Initialized 'Storage'
MSAL-Cache: Registering token cache with on disk storage
MSAL-Cache: Done initializing
MSAL: [Cache Session Manager] Entering the cache semaphore. Real semaphore: True. Count: 1
MSAL: [Cache Session Manager] Entered cache semaphore
MSAL-Cache: Before access
MSAL-Cache: Acquiring lock for token cache
MSAL-Cache: Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: ReadDataCore, Before reading from mac keychain service: tunnels account https://global.rel.tunnels.api.visualstudio.com/auth/aad
MSAL-Cache: ReadDataCore, After reading mac keychain 8116 chars service: tunnels account https://global.rel.tunnels.api.visualstudio.com/auth/aad
MSAL-Cache: Got '8116' bytes from file storage
MSAL-Cache: Read '8116' bytes from storage
MSAL-Cache: Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL-Cache: After access
MSAL-Cache: Released lock
MSAL: [Cache Session Manager] Released cache semaphore
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 1
MSAL: [GetAccounts] Found 1 RTs and 1 accounts in MSAL cache.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: [GetAccounts] Found 1 RTs and 1 accounts in MSAL cache after environment filtering.
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: Found 1 cache accounts and 0 broker accounts
MSAL: Returning 1 accounts
MSAL: MSAL MSAL.NetCore with assembly version '4.61.0.0'. CorrelationId(e27081d2-e929-4ab4-a238-37ad10f5c465)
MSAL: === AcquireTokenSilent Parameters ===
MSAL: LoginHint provided: False
MSAL: Account provided: True
MSAL: ForceRefresh: False
MSAL:
=== Request Data ===
Authority Provided? - True
Scopes - 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - e27081d2-e929-4ab4-a238-37ad10f5c465
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

MSAL: === Token Acquisition (SilentRequest) started:
	 Scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
	Authority Host: login.microsoftonline.com
MSAL: Attempting to acquire token using local cache.
MSAL: [Cache Session Manager] Entering the cache semaphore. Real semaphore: True. Count: 1
MSAL: [Cache Session Manager] Entered cache semaphore
MSAL-Cache: Before access
MSAL-Cache: Acquiring lock for token cache
MSAL-Cache: Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: ReadDataCore, Before reading from mac keychain service: tunnels account https://global.rel.tunnels.api.visualstudio.com/auth/aad
MSAL-Cache: ReadDataCore, After reading mac keychain 8116 chars service: tunnels account https://global.rel.tunnels.api.visualstudio.com/auth/aad
MSAL-Cache: Got '8116' bytes from file storage
MSAL-Cache: Read '8116' bytes from storage
MSAL-Cache: Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL-Cache: After access
MSAL-Cache: Released lock
MSAL: [Cache Session Manager] Released cache semaphore
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 1
MSAL: [FindAccessTokenAsync] Discovered 1 access tokens in cache using partition key: 
MSAL: Filtering AT by tenant id - item count before: 1
MSAL: Filtering AT by tenant id - item count after: 1
MSAL: Filtering AT by home account id - item count before: 1
MSAL: Filtering AT by home account id - item count after: 1
MSAL: Filtering by token type - item count before: 1
MSAL: Filtering by token type - item count after: 1
MSAL: Filtering by scopes - item count before: 1
MSAL: Access token with scopes 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/all passes scope filter? True
MSAL: Filtering by scopes - item count after: 1
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: Filtering AT by preferred environment login.windows.net - item count before: 1
MSAL: Filtering AT by preferred environment login.windows.net - item count after: 1
MSAL: Filtered AT by preferred alias returning 1 tokens.
MSAL: Bearer token found
MSAL: Access token is not expired. Returning the found cache entry. [Current time (09/09/2024 00:35:15) - Expiration Time (09/09/2024 01:34:54 +00:00) - Extended Expiration Time (09/09/2024 01:34:54 +00:00)]
MSAL: Returning access token found in cache. RefreshOn exists ? False
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL:
	=== Token Acquisition finished successfully:
MSAL:  AT expiration time: 9/9/2024 1:34:54 AM +00:00, scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/all. source: Cache
MSAL:
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 34
[LogMetricsFromAuthResult] DurationTotalInMs: 2268
[LogMetricsFromAuthResult] DurationInHttpInMs: 0
MSAL: TokenEndpoint: ****
HTTP: GET https://global.rel.tunnels.api.visualstudio.com/tunnels?includePorts=true&global=true&api-version=2023-09-27-preview&ownedTunnelsOnly=true
HTTP: Authorization: Bearer <token>
HTTP: User-Agent: Dev-Tunnels-Service-CLI/1.0.1338+932252c8a1
HTTP: User-Agent: (OS:Darwin 23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:46 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6031)
HTTP: User-Agent: Dev-Tunnels-Service-CSharp-SDK/1.1.29+db5d357e46
HTTP: 401 Unauthorized (661 ms)
HTTP: Date: Mon, 09 Sep 2024 00:35:16 GMT
HTTP: Connection: keep-alive
HTTP: WWW-Authenticate: Bearer error="invalid_token"
HTTP: WWW-Authenticate: Bearer error="invalid_token", error_description="S2S17001: SAL was able to validate the protocol, but validation failed as none of the inbound policies were satisfied. Validation failures: 'AAD user inbound policy (prod): KeyWrapFailed'."
HTTP: RateLimit-Limit: ApiQueryRatePerIPAddress:1000/s
HTTP: RateLimit-Remaining: ApiQueryRatePerIPAddress:999
HTTP: RateLimit-Reset: ApiQueryRatePerIPAddress:1s
HTTP: X-Content-Type-Options: nosniff
HTTP: VsSaaS-Request-Id: 93031416-d2c5-4ce9-b310-9d6acbd796f7
HTTP: Strict-Transport-Security: max-age=31536000; includeSubDomains
HTTP: X-Served-By: tunnels-prod-rel-aue-v3-cluster
Tunnel service response status code: Unauthorized
Request ID: 93031416-d2c5-4ce9-b310-9d6acbd796f7

OS - macOS

[atymic]

Same issue

[lijie-lee]

Hi @rabwill, @atymic. Thanks for reahing out.

Could you try to login devtunnel by executing the command

devtunnel login -g

and then re-try the F5?

[rabwill]

Hi @rabwill, @atymic. Thanks for reahing out.

Could you try to login devtunnel by executing the command

devtunnel login -g

and then re-try the F5?

Tried this and got the CLI to work but from Teams Toolkit f5 the experience is the same.

[rabwill]

@lijie-lee looks like an issue with dev tunnels in Australia aue region , here is their response with a workaround.

[atymic]

How can I do this when it's started by teams toolkit?

[rabwill]

I have been manually doing this for Teams toolkit projects.
I commented out the Start local tunnel task and did port forwarding using VSCode. You could also use ngrok. More info here

[lijie-lee]

@lijie-lee looks like an issue with dev tunnels in Australia aue region , here is their response with a workaround.

Hi @rabwill, Thanks for you informing that this issue is caused by issue of dev tunnels in Australia aue region.