Azure key vault

Nikita Pandey 6 Reputation points
2020-03-30T13:58:13.507+00:00

I have created a web application in c#.net to access the key vault from azure without using credentials in the code, but I am facing one issue.

Question
Sign in to vote
0
Sign in to vote
I have created the web application in c#.net but I am getting the following error:-

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Windows\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. Traceback (most recent call last):
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\runpy.py", line 85, in _run_code
exec(code, run_globals)
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli\azure\cli__main__.py", line 33, in <module>
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core__init__.py", line 547, in get_default_cli
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core\azlogging.py", line 30, in <module>
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core\commands__init__.py", line 28, in <module>
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\azure-cli-core\azure\cli\core\extension__init__.py", line 16, in <module>
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\knack\knack\config.py", line 39, in init
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\knack\knack\util.py", line 108, in ensure_dir
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-9101vebg\knack\knack\util.py", line 105, in ensure_dir
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\os.py", line 220, in makedirs
mkdir(name, mode)
PermissionError: [WinError 5] Access is denied: 'C:\Windows\system32\config\systemprofile\.azure'

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66375204-7fc7-4ceb-be15-a5b6ea7b6ef6. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Integrated Windows Auth is not supported for managed users. See https://aka.ms/adal-iwa for details.

The following is the code snippet:-

using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using SummitSecurity;
using System;
using System.Configuration;
using System.Threading.Tasks;

namespace Azure_WebApp
{
public partial class Azure_Form : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}

    protected void Button1_Click(object sender, EventArgs e)
    {
        string str =ResultOnGetAsync().Result;
        Label1.Text = str.ToString();
}
    public static string WMIUserPWDKey = string.Empty;

    public static string Message { get; set; }
    private static async Task&lt;string&gt; ResultOnGetAsync()
    {
        string ret = string.Empty;

        try
        {
            AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

            KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            var secret = await keyVaultClient.GetSecretAsync(&#34;https://summitazurekey.vault.azure.net/secrets/AzureKey&#34;)
                    .ConfigureAwait(false);

            Message = secret.Value;
            WMIUserPWDKey = fnDecrypt(secret.Tags[&#34;WMIUserPWDKey&#34;].ToString(), &#34;&#34;);
            string StrToEncryptAndDecrypt = &#34;TestStringToEncryptAndDecrypt&#34;;
            string strEncrypted = string.Empty;
            strEncrypted = CommonExtensionMethods.QueryStringEncrypt(StrToEncryptAndDecrypt, WMIUserPWDKey);
            ret = $&#34;AzureDecryptKey is {WMIUserPWDKey.ToString()}\n&#34; +
                         &#34;&#34; +
                         $&#34;{Encrypted()}&#34;;

        }
        catch(Exception ex)
        {

            Console.WriteLine(ex.ToString());
        }
        return ret;

    }
    static string Encrypted()
    {
        string StrToEncryptAndDecrypt = &#34;TestStringToEncryptAndDecrypt&#34;;
        string strEncrypted = string.Empty;
        strEncrypted = CommonExtensionMethods.QueryStringEncrypt(StrToEncryptAndDecrypt, WMIUserPWDKey);
        string strDecrypted = string.Empty;
        strDecrypted = CommonExtensionMethods.QueryStringDecrypt(strEncrypted, WMIUserPWDKey);
        string EnDecKey = $&#34;Encrypted: &#34; +
                    $&#34;{strEncrypted.ToString()}\n&#34; + &#34;Decrypted: &#34; +
                    $&#34;{strDecrypted.ToString()}&#34;;
        return EnDecKey;
    }

    // This method implements exponential backoff if there are 429 errors from Azure Key Vault
    private static long getWaitTime(int retryCount)
    {
        long waitTime = ((long)Math.Pow(2, retryCount) * 100L);
        return waitTime;
    }

    // This method fetches a token from Azure Active Directory, which can then be provided to Azure Key Vault to authenticate
    public async Task&lt;string&gt; GetAccessTokenAsync()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();
        string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(&#34;https://summitazurekey.vault.azure.net&#34;);
        return accessToken;
    }

Please me help out, why i am not able to access secret from vault, as in console it is working fine, but in asp.net web app it is not working.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,105 questions
0 comments No comments
{count} vote

6 answers

Sort by: Most helpful
  1. Piyush Mutha 11 Reputation points
    2020-03-30T19:47:09.04+00:00

    I guess you've not added your App Service to your Key Vault's Access Policies. In that case,

    1. Navigate to the Key Vault resource in Azure Portal.
    2. I the menu, find Access Policies button and click on that.
    3. On the Access Policies page, find +Add Access Policy link and click.
    4. On the Add access policy page, Select all the permissions you want to grant to your App Service(probably all if you want to test this solution) and click on Select Principal
    5. In the principal window, search for your App Service using the App Service Name and Select.
    6. On the Add access policy page, click Add to add the policy to your Key Vault.
    7. Finally on the Access Policies page, click "Save" to save your changes. (a lot of people miss this step)

    Restart your App Service and the underlying WebJobs (if any), that should solve your problem

    2 people found this answer helpful.

  2. Saurabh Sharma 23,661 Reputation points Microsoft Employee
    2020-04-03T15:09:20.083+00:00

    anonymous userPandey-6512 When you are running you web application from IIS, it does not have your developer identity context to retrieve the access token. You need to configure your IIS to run with user context to retrieve the token and access the key vault. You need to follow the below steps -

    1. Configure Application pool to run as your user account.
    2. Configure setProfileEnvironment to True.
      Go to %windir%\System32\inetsrv\config\applicationHost.config Search for "setProfileEnvironment". If it's set to "False", change it to "True". If it's not present, add it as an attribute to the processModel element (/configuration/system.applicationHost/applicationPools/applicationPoolDefaults/processModel/@setProfileEnvironment), and set it to "True". Please let me know if this helps to fix your issue.
    2 people found this answer helpful.
    0 comments No comments

  3. saurabh sharma 76 Reputation points
    2020-03-30T17:48:38.417+00:00

    I tried your code and it worked fine for me on my local development environment.
    Can you please check if you have selected the correct Account under Azure Service Authentication in your Visual Studio. (Go to Visual Studio and Tools > Options).

    6831-visualstudioauthentication.png

    Basically, when you run code in your local the AppAuthentication library uses your developer credentials to connect to run your local development environment and fetches tokens either using Visual Studio, Azure CLI or Azure AD Authentication. If none of options works then you get the error you have posted in your question. Please refer to Local development authentication for details.

    However, if you are planning to deploy your web application to Azure then I suggest you to use manage identity to authenticate Azure Key Vault. Please refer to below documentation/sample for details :


  4. Varun Sharma 1 Reputation point
    2020-03-31T16:36:34.077+00:00

    Is this deployed using IIS? It seems like that based on the error. Normally VS token provider file is in the current user's profile, but it is looking at a different location here, as per exception: "Visual Studio Token provider file not found at "C:\Windows*system32\config"*

    If deployed using IIS, please see this to resolve: https://learn.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#cant-retrieve-tokens-when-debugging-app-in-iis

    In general, it is easier to do local development using IIS Express, since it uses current user's user profile.


  5. Varun Sharma 1 Reputation point
    2020-04-01T18:53:31.407+00:00

    Can you please share more details about what you did to fix the issue? Did you try the link I had shared for running this in IIS?

    Also, can you please share the entire error message? In the most recent error message you shared, it only shows the error for Integrated Windows auth. Thanks!