Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 Unauthorized - error="invalid_token", error_description="S2S17001: SAL was able to validate the protocol, but validation failed as none of the inbound policies were satisfied. Validation failures: 'AAD user inbound policy (prod): KeyWrapFailed'." #480

Closed
fowl2 opened this issue Sep 9, 2024 · 4 comments
Closed

401 Unauthorized - error="invalid_token", error_description="S2S17001: SAL was able to validate the protocol, but validation failed as none of the inbound policies were satisfied. Validation failures: 'AAD user inbound policy (prod): KeyWrapFailed'." #480

fowl2 opened this issue Sep 9, 2024 · 4 comments

Comments

@fowl2
Copy link

fowl2 commented Sep 9, 2024

My colleague is getting this error (originally just the 401 with no details in VS) using devtunnels.

Full `devtunnel list -v` output (Username and tenant ID redacted) 
C:\Users\REDACTED_USERNAME>devtunnel list -v
Using token cache file: C:\Users\REDACTED_USERNAME\AppData\Local\DevTunnels\devtunnels-tokens-github
MSAL-Cache: Initialized 'Storage'
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'False'
MSAL-Cache: Got '0' bytes from file storage
Using client AppId: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
Using token cache file: C:\Users\REDACTED_USERNAME\AppData\Local\DevTunnels\devtunnels-tokens-microsoft
MSAL-Cache: Initialized 'Storage'
MSAL-Cache: Registering token cache with on disk storage
MSAL-Cache: Done initializing
MSAL: [Cache Session Manager] Entering the cache semaphore. Real semaphore: True. Count: 1
MSAL: [Cache Session Manager] Entered cache semaphore
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'True'
MSAL-Cache: Read '3378' bytes from the file
MSAL-Cache: Unprotecting the data
MSAL-Cache: Got '3233' bytes from file storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access
MSAL: [Microsoft.Identity.Client.Extensions] After access
MSAL-Cache: Released lock
MSAL: [Cache Session Manager] Released cache semaphore
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache after environment filtering.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: Found 0 cache accounts and 0 broker accounts
MSAL: Returning 0 accounts
Using client AppId: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
MSAL-Cache: Registering token cache with on disk storage
MSAL-Cache: Done initializing
MSAL: [Cache Session Manager] Entering the cache semaphore. Real semaphore: True. Count: 1
MSAL: [Cache Session Manager] Entered cache semaphore
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'True'
MSAL-Cache: Read '3378' bytes from the file
MSAL-Cache: Unprotecting the data
MSAL-Cache: Got '3233' bytes from file storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access
MSAL: [Microsoft.Identity.Client.Extensions] After access
MSAL-Cache: Released lock
MSAL: [Cache Session Manager] Released cache semaphore
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache after environment filtering.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [RuntimeBroker] WAM supported OS.
MSAL: [RuntimeBroker] MsalRuntime initialization successful.
MSAL: [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
MSAL: Filtering broker accounts by environment. Before filtering: 0
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: After filtering: 0
MSAL: Found 1 cache accounts and 0 broker accounts
MSAL: Returning 1 accounts
MSAL: MSAL MSAL.NetCore with assembly version '4.55.0.0'. CorrelationId(f8352260-1a6f-439b-a8a9-29f437487ccd)
MSAL: === AcquireTokenSilent Parameters ===
MSAL: LoginHint provided: False
MSAL: Account provided: True
MSAL: ForceRefresh: False
MSAL:
=== Request Data ===
Authority Provided? - True
Scopes - 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - f8352260-1a6f-439b-a8a9-29f437487ccd
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

MSAL: === Token Acquisition (SilentRequest) started:
         Scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
        Authority Host: login.microsoftonline.com
MSAL: Broker is configured and enabled, attempting to use broker instead.
MSAL: [RuntimeBroker] WAM supported OS.
MSAL: [RuntimeBroker] MsalRuntime initialization successful.
MSAL: Can invoke broker. Will attempt to acquire token with broker.
MSAL: [RuntimeBroker] Acquiring token silently.
MSAL: [RuntimeBroker] Validating Common Auth Parameters.
MSAL: [WamBroker] Scopes were passed in the request.
MSAL: [WamBroker] Acquired Common Auth Parameters.
MSAL: [MSAL:0001]       INFO    LogTelemetryData:332    Printing Telemetry for Correlation ID: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: start_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: api_name, Value: ReadAccountById
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: was_request_throttled, Value: false
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: authority_type, Value: Unknown
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: msal_version, Value: 1.1.0+local
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: correlation_id, Value: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: stop_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: msalruntime_version, Value: 0.13.8
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: is_successful, Value: true
MSAL: [MSAL:0001]       INFO    LogTelemetryData:340    Key: request_duration, Value: 0
MSAL: [MSAL:0001]       INFO    SetCorrelationId:220    Set correlation ID: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0001]       INFO    EnqueueBackgroundRequest:677    The original authority is 'https://login.microsoftonline.com/REDACTED_TENANTID'
MSAL: [MSAL:0001]       INFO    ModifyAndValidateAuthParameters:182     Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
MSAL: [MSAL:0001]       INFO    ModifyAndValidateAuthParameters:199     Authority Realm: REDACTED_TENANTID
MSAL: [MSAL:0002]       INFO    LogTelemetryData:332    Printing Telemetry for Correlation ID: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: start_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: api_name, Value: AcquireTokenSilently
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: was_request_throttled, Value: false
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: authority_type, Value: AAD
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: access_token_expiry_time, Value: 2024-09-09T06:22:46.000Z
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: read_token, Value: ID|AT
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: msal_version, Value: 1.1.0+local
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: client_id, Value: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: correlation_id, Value: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: stop_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: msalruntime_version, Value: 0.13.8
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: original_authority, Value: https://login.microsoftonline.com/REDACTED_TENANTID
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: request_eligible_for_broker, Value: true
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: broker_app_used, Value: false
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: additional_query_parameters_count, Value: 1
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: auth_flow, Value: AT
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: is_successful, Value: true
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: authorization_type, Value: WindowsIntegratedAuth
MSAL: [MSAL:0002]       INFO    LogTelemetryData:340    Key: request_duration, Value: 3
MSAL: [MSAL:0002]       INFO    LogTelemetryData:345    Printing Execution Flow:
MSAL: [MSAL:0002]       INFO    LogTelemetryData:353    {"t":"8b2yn","tid":2,"ts":0,"l":2},{"t":"8dqkx","tid":2,"ts":0,"l":2},{"t":"8dqik","tid":2,"ts":0,"l":2},{"t":"8b2ht","tid":2,"ts":0,"l":2},{"t":"7e60d","tid":2,"ts":0,"l":2,"a":2,"ie":0},{"t":"7e60e","tid":2,"ts":1,"l":2,"a":2,"ie":1},{"t":"8dqin","tid":2,"ts":1,"l":2},{"t":"7e60f","tid":2,"ts":1,"l":2,"a":2,"ie":0},{"t":"7e60g","tid":2,"ts":3,"l":2,"a":2,"ie":1},{"t":"7e60h","tid":2,"ts":3,"l":2,"a":2,"ie":0},{"t":"7e60i","tid":2,"ts":3,"l":2,"a":2,"ie":1},{"t":"8dqit","tid":2,"ts":3,"l":2},{"t":"6xuag","tid":2,"ts":3,"l":2}
MSAL: [WamBroker] WAM response status success
MSAL: [WamBroker] Successfully retrieved token.
MSAL: Checking MsalTokenResponse returned from broker.
MSAL: Success. Response contains an access token.
MSAL: Checking client info returned from the server..
MSAL: Saving token response to cache..
MSAL:
[MsalTokenResponse]
Error:
ErrorDescription:
Scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/all 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
ExpiresIn: 4221
RefreshIn:
AccessToken returned: True
AccessToken Type: Bearer
RefreshToken returned: False
IdToken returned: True
ClientInfo returned: True
FamilyId:
WamAccountId exists: True

MSAL: [Instance Discovery] Instance discovery is enabled and will be performed
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: Fetching instance discovery from the network from host login.microsoftonline.com.
MSAL: Starting [Oauth2Client] Sending GET request
MSAL: Starting [HttpManager] ExecuteAsync
MSAL: [HttpManager] Sending request. Method: GET. Host: https://login.microsoftonline.com.
MSAL: [HttpManager] Received response. Status code: OK.
MSAL: Finished [HttpManager] ExecuteAsync in 401 ms
MSAL: Finished [Oauth2Client] Sending GET request  in 405 ms
MSAL: Starting [OAuth2Client] Deserializing response
MSAL: Finished [OAuth2Client] Deserializing response in 6 ms
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
MSAL: [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True.
MSAL: Authority validation enabled? False.
MSAL: Authority validation - is known env? True.
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
MSAL: [SaveTokenResponseAsync] Entering token cache semaphore. Count Real semaphore: True. Count: 1.
MSAL: [SaveTokenResponseAsync] Entered token cache semaphore.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'True'
MSAL-Cache: Read '3378' bytes from the file
MSAL-Cache: Unprotecting the data
MSAL-Cache: Got '3233' bytes from file storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL: [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
MSAL: Not saving to ADAL legacy cache.
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 0
MSAL: [CalculateSuggestedCacheExpiry] No access tokens or refresh tokens found in the accessor. Not returning any expiration.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access
MSAL: [Microsoft.Identity.Client.Extensions] After access
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access, cache in memory HasChanged
MSAL: [Microsoft.Identity.Client.Extensions] After access, cache in memory HasChanged
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 0
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Serializing '3233' bytes
MSAL: [Microsoft.Identity.Client.Extensions] Serializing '3233' bytes
MSAL-Cache: Got '3233' bytes to write to storage
MSAL-Cache: Protecting the data
MSAL-Cache: Writing cache file
MSAL-Cache: Writing file without special permissions
MSAL-Cache: Released lock
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 0
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: Total number of access tokens in cache: 0
Total number of refresh tokens in cache: 0
Token cache dump of the first 0 cache keys.

MSAL: [SaveTokenResponseAsync] Released token cache semaphore.
MSAL: Broker responded to silent request.
MSAL:
        === Token Acquisition finished successfully:
MSAL:  AT expiration time: 9/09/2024 6:22:45 AM +00:00, scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/all 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default. source: Broker
MSAL: Fetched access token from host login.microsoftonline.com.
MSAL:
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 21
[LogMetricsFromAuthResult] DurationTotalInMs: 594
[LogMetricsFromAuthResult] DurationInHttpInMs: 377

MSAL: TokenEndpoint: ****
HTTP: GET https://global.rel.tunnels.api.visualstudio.com/tunnels?includePorts=true&global=true&api-version=2023-09-27-preview&ownedTunnelsOnly=true
HTTP: Authorization: Bearer <token>
HTTP: User-Agent: Dev-Tunnels-Service-CLI/1.0.1249+67b1cd300c
HTTP: User-Agent: (OS:Microsoft Windows 10.0.22621)
HTTP: User-Agent: Dev-Tunnels-Service-CSharp-SDK/1.1.29+db5d357e46
HTTP: 401 Unauthorized (90 ms)
HTTP: Date: Mon, 09 Sep 2024 05:12:24 GMT
HTTP: Connection: keep-alive
HTTP: WWW-Authenticate: Bearer error="invalid_token"
HTTP: WWW-Authenticate: Bearer error="invalid_token", error_description="S2S17001: SAL was able to validate the protocol, but validation failed as none of the inbound policies were satisfied. Validation failures: 'AAD user inbound policy (prod): KeyWrapFailed'."
HTTP: RateLimit-Limit: ApiQueryRatePerIPAddress:1000/s
HTTP: RateLimit-Remaining: ApiQueryRatePerIPAddress:999
HTTP: RateLimit-Reset: ApiQueryRatePerIPAddress:1s
HTTP: X-Content-Type-Options: nosniff
HTTP: VsSaaS-Request-Id: 7ae9dd5d-7b81-4bae-a4bc-0e7beeddb109
HTTP: Strict-Transport-Security: max-age=31536000; includeSubDomains
HTTP: X-Served-By: tunnels-prod-rel-aue-v3-cluster
Tunnel service response status code: Unauthorized
Request ID: 7ae9dd5d-7b81-4bae-a4bc-0e7beeddb109
@rabwill
Copy link

rabwill commented Sep 9, 2024

Facing similar issue today OfficeDev/teams-toolkit#12352

@jamwest
Copy link

jamwest commented Sep 9, 2024

Exact same issue for me and coworkers

@derekbekoe
Copy link
Contributor

We're looking into the issue affecting the Australia East (aue) region of dev tunnels.
Until we mitigate the issue in this region, this can be worked around by temporarily pointing to a different region of the dev tunnels service.
For example, devtunnel create --service-uri https://auc1.rel.tunnels.api.visualstudio.com for Australia Central.

@derekbekoe
Copy link
Contributor

We reverted the change that we believe caused this and verified functionality. Apologies for the inconvenience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fowl2 @derekbekoe @rabwill @jamwest