How to fix"errorCode": "2100", "message": "ErrorCode=AdlsGen2OperationFailed,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error

Question

How to fix"errorCode": "2100", "message": "ErrorCode=AdlsGen2OperationFailed,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error

Shohid Rahman 30

Whenver I run a pipeline in synapse with a linked service I get this error. Bear in mind Ive used the default one which authenticates itself with a self managed identity, also I tried creating another one which to use a service principal. But I get the same error for both.

{ "errorCode": "2100", "message": "ErrorCode=AdlsGen2OperationFailed,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error: request_timeout, Error Message: Request to the endpoint timed out. A task was canceled. .. Account: 'Bobstorageaccount'. FileSystem: 'bc2adlsfolder'. Path: 'deltas.manifest.cdm.json'..,Source=Microsoft.DataTransfer.ClientLibrary,''Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Failed to get access token by using service principal. Error: request_timeout, Error Message: Request to the endpoint timed out. A task was canceled. .,Source=Microsoft.DataTransfer.Common,''Type=Microsoft.Identity.Client.MsalServiceException,Message=Request to the endpoint timed out.,Source=Microsoft.Identity.Client,''Type=System.Threading.Tasks.TaskCanceledException,Message=A task was canceled.,Source=mscorlib,'", "failureType": "UserError", "target": "Entities", "details": [] }

blob storage data contributor has been enabled for the managed identity / app reg.
Public network access is enabled
A private endpoint exists and is approved.

So far no one online has been of help

KranthiPakala-MSFT 46,642 Reputation points Microsoft Employee Moderator

2023-10-03T00:17:06.34+00:00

@Shohid Rahman Thanks for using Microsoft Q&A forum and posting your query.

From the error message my understanding is that the issue is related to permission to your ADLS Gen2.

For Service principal, could you please ensure that it has configured the API permissions in your App registrations page as show below and the validate from Storage account IAM under Access control that the permissions have been applied to your Service principal :

Also kindly ensure to validate that the permissions (Storage blob data reader or Storage blob data contributor) are applied before testing the connection.

In addition, please make sure that the below troubleshooting steps have been followed: Troubleshoot the Azure Data Lake Storage connectors in Azure Data Factory and Azure Synapse

In case if you are doing a debug and testing with managed identity, then please grant permissions to managed identity as well the user who is debugging the pipeline because when we debug the pipeline using managed identity, the operation is executed on the user identity and the permissions are evaluated for that user before making a successful connection.

Hope this info helps. Let us know how it goes.

We look forward to your confirmation.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Shohid Rahman 30 Reputation points

2023-10-03T10:40:01.87+00:00

Rewriting this again as the last comment doesnt seem to have been added.
I have 2 linked services. And Im seeing a different problem with each.
The default workspace one which uses a system assigned managed identity and one I created that uses a service principal. Both have blob storage contributor roles to the storage account. The storage account has public access enabled. azure services are able to access the storage account. They both have the Synapse admin role within the synapse workspace and even though selected ips are allowed to access the synapse studio, azure services are allowed to access it. A private endoint has been created within synapse studio for the linked service as the storage account being public isnt desired in the future.

Service Principal linked identity:

After adding the correct api permissions (see the screenshot below) I still ended up with a error when trying a connection test for the linked service. I double checked the app reg client id and app reg secrets when configuring the linked service. Regardless I had this error "The operation has timed out. Activity ID: 2bafb7d3-979b-45f0-9507-afdb5649c48e"

System assigned Managed Identity linked service:

I have tried the microsft docs and the one recommended to me in the above post before but they have not been useful. The connection test succeeds. But when running in a synapse pipeline. The error code I am receiving is a 2100 which I have not seen before online. I am using a managed identity but still receiving an error about service prinicipal access tokens and a request to the endpoint timing out. Even though the endpoint has been correctly set up and approved.

{ "errorCode": "2100", "message": "ErrorCode=AdlsGen2OperationFailed,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error: request_timeout, Error Message: Request to the endpoint timed out. A task was canceled. .. Account: 'Bobstorageaccount'. FileSystem: 'bc2adlsfolder'. Path: 'deltas.manifest.cdm.json'..,Source=Microsoft.DataTransfer.ClientLibrary,''Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Failed to get access token by using service principal. Error: request_timeout, Error Message: Request to the endpoint timed out. A task was canceled. .,Source=Microsoft.DataTransfer.Common,''Type=Microsoft.Identity.Client.MsalServiceException,Message=Request to the endpoint timed out.,Source=Microsoft.Identity.Client,''Type=System.Threading.Tasks.TaskCanceledException,Message=A task was canceled.,Source=mscorlib,'", "failureType": "UserError", "target": "Entities", "details":

I hope someone can be of help.
KranthiPakala-MSFT 46,642 Reputation points Microsoft Employee Moderator

2023-10-11T01:23:56.42+00:00

@Shohid Rahman This may need deeper investigation, please file a support ticket if you have support plan, in case if you don't have a support plan please let me know here.

Thank you
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Accepted answer

2 additional answers

Your answer

KranthiPakala-MSFT 46,642 Reputation points Microsoft Employee Moderator

2023-10-03T00:17:06.34+00:00

@Shohid Rahman Thanks for using Microsoft Q&A forum and posting your query.

From the error message my understanding is that the issue is related to permission to your ADLS Gen2.

For Service principal, could you please ensure that it has configured the API permissions in your App registrations page as show below and the validate from Storage account IAM under Access control that the permissions have been applied to your Service principal :

Also kindly ensure to validate that the permissions (Storage blob data reader or Storage blob data contributor) are applied before testing the connection.

In addition, please make sure that the below troubleshooting steps have been followed: Troubleshoot the Azure Data Lake Storage connectors in Azure Data Factory and Azure Synapse

In case if you are doing a debug and testing with managed identity, then please grant permissions to managed identity as well the user who is debugging the pipeline because when we debug the pipeline using managed identity, the operation is executed on the user identity and the permissions are evaluated for that user before making a successful connection.

Hope this info helps. Let us know how it goes.

We look forward to your confirmation.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
KranthiPakala-MSFT 46,642 Reputation points Microsoft Employee Moderator

2023-10-11T01:23:56.42+00:00

@Shohid Rahman This may need deeper investigation, please file a support ticket if you have support plan, in case if you don't have a support plan please let me know here.

Thank you
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

@Shohid Rahman

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others Opens in new window or tab", I'll repost your solution in case you'd like to accept the answer Opens in new window or tab.

Error Message:

{
  "errorCode": "2100",
  "message": "ErrorCode=AdlsGen2OperationFailed,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error: request_timeout, Error Message: Request to the endpoint timed out. A task was canceled. .. Account: 'Bobstorageaccount'. FileSystem: 'bc2adlsfolder'. Path: 'deltas.manifest.cdm.json'..,Source=Microsoft.DataTransfer.ClientLibrary,''Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Failed to get access token by using service principal. Error: request_timeout, Error Message: Request to the endpoint timed out. A task was canceled. .,Source=Microsoft.DataTransfer.Common,''Type=Microsoft.Identity.Client.MsalServiceException,Message=Request to the endpoint timed out.,Source=Microsoft.Identity.Client,''Type=System.Threading.Tasks.TaskCanceledException,Message=A task was canceled.,Source=mscorlib,'",
  "failureType": "UserError",
  "target": "Entities",
  "details": []
}

Issue:

Whenver I run a pipeline in synapse with a linked service I get this error. Bear in mind Ive used the default one which authenticates itself with a self managed identity, also I tried creating another one which to use a service principal. But I get the same error for both.

Solution:

Turns out this issue was that data exfiltration was enabled on the workspace and once new workspace was created with data exfiltration disabled the issues were solved.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

I hope this helps!

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Shohid Rahman 30

Problem solved a while back.

Turns out this issue was that data exfiltration was enabled on the workspace and once I created a new workspace with it disabled the issues were solved.

Answer 3

Shohid Rahman 30

Problem solved a while back.

Turns out this issue was that data exfiltration was enabled on the workspace and once I created a new workspace with it disabled the issues were solved.

Share via

How to fix"errorCode": "2100", "message": "ErrorCode=AdlsGen2OperationFailed,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error

2 additional answers

Your answer