Error while getting MSI token within App Service Environment(ASE)

manoj kumar 1 Reputation point
2020-11-02T09:44:10.503+00:00

Hello Team,

We are using Azure Managed Service Identities(MSI) to authenticate our service-to-service calls in Azure. It was working fine till recently, now we are getting below error while trying to get the MSI token. We are using Microsoft.Azure.Services.AppAuthentication (v1.0.3.0) NuGet package to get the token. This issue is happening only within App Service Environment(ASE), other places its working fine.

Sample code to get token:

var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");

Error:

{"success":false,"body":"Parameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.\nParameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. MSI ResponseCode: InternalServerError, Response: {\u0022statusCode\u0022:500,\u0022message\u0022:\u0022An unexpected error occured while fetching the AAD Token.\u0022,\u0022correlationId\u0022:\u00229cfb60b9-62a9-4768-a297-f15a82977891\u0022}\nParameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.\nParameters: Connection String: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory\n\n"}

Anybody has faced this issue?

Are there any security limitations for MSI within ASE?

Also do we have any rate limits to MSI endpoint?

Regards,

Manoj

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,798 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-11-23T22:07:49.63+00:00

    Hi @ManojKumar S. Agasibagila , the recommended approach is to use ManagedIdentityCredential (AzureServiceTokenProvider is legacy). Also please ensure outbound calls to the following FQDN HTTP/HTTPS dependencies are allowed.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.