question

MarekMatonok-4202 avatar image
0 Votes"
MarekMatonok-4202 asked alfredorevilla-msft edited

Azure system managed identity - .AzureServiceTokenProviderException - no connection string specified after clean deployment and start

Hi,

We have Azure app service with .net framework 4.8 code.
Azure app service has enabled system manged identity ( MSI) and configuration over AAD Group to Azure SQL Database.
This configuration works fine until we did not re-create environment.
After a couple of restarts we found another issue: Login failed for user '<token-identified principal>
After a while and next restart all works fine. During investigation ( 30min. to 1 hours) We did not change anything only restart.

Please take a look on details and stack trace and let me know where you see problem?
Do we need wait after deployment certain time and then start azure app service? Any other ideas?

Thansk,
M


Details:

After first deployment and start our service was not able connect to SQL Database.
We do not use any custom code for generate access token, we use SqlAppAuthenticationProvider from System.Data.SqlClient 4.0.0.0 that already managed requests for access token,
caching if connection string contains:
Authentication=Active Directory Interactive;
or
Authentication=Active Directory Managed Identity; ( for .net core)

Stack trace:

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/00000000-0000-0000-0000-000000000000. Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/00000000-0000-0000-0000-000000000000. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request.
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/00000000-0000-0000-0000-000000000000. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at ""C:\local\LocalAppData.IdentityService\AzureServiceAuth\tokenprovider.json""
Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/00000000-0000-0000-0000-000000000000. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.

Parameters: Connection String: [No connection string specified], Resource: https://database.windows.net/, Authority: https://login.windows.net/00000000-0000-0000-0000-000000000000. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Failed to get user name from the operating system.

at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.<GetAuthResultAsyncImpl>d_14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.<GetAuthenticationResultAsync>d
18.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.<GetAuthenticationResultAsync>d
19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.Services.AppAuthentication.SqlAppAuthenticationProvider.<AcquireTokenAsync>d
6.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.Azure.Services.AppAuthentication.SqlAppAuthenticationProvider.<AcquireTokenAsync>d
_5.MoveNext()"

azure-managed-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered alfredorevilla-msft edited

Hello @marekmatonok-4202, sounds like an (inner) HttpClient exception. You need might try doing network tracing to find what's the underlying network issue.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.