Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ADFS] [Edge] [AzureStack] Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null. Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f' #26976

Open
keystroke opened this issue Jan 8, 2025 · 3 comments
Open

[ADFS] [Edge] [AzureStack] Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null. Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f' #26976

keystroke opened this issue Jan 8, 2025 · 3 comments
Labels
Accounts Issues in Az.Accounts except authentication related Azure PS Team Azure Stack bug This issue requires a change to an existing behavior in the product in order to be resolved. Tracking We will track status and follow internally

Comments

@keystroke
Copy link

Description

When setting-up Az to connect to a local environment like Azure Stack Hub, I am not able to sign-in interactively.

I have tried every variation of cloud parameters and configuration, disabling WAM and disabling the v2 login experience / flow, and it still fails.

Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found
in the provided tenant domain.

Issue script & Debug output

PS C:\> $DebugPreference='Continue'

PS C:\> Connect-AzAccount -Environment 'Foo' -Tenant '98b8267d-e97f-426e-8b3f-7956511fd63f' -Verbose
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:55:16 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]
.
DEBUG: 1:55:16 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 1:55:16 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 1:55:16 AM - Using Autosave scope 'CurrentUser'
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
VERBOSE: Performing the operation "log in" on target "User account in environment 'Foo'".
DEBUG: 1:55:16 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 1:55:16 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 1:55:16 AM - Using Autosave scope 'CurrentUser'
Please select the account you want to login with.

DEBUG: 1:55:16 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'adfs', Scopes:'https
://management.domain/openid', AuthorityHost:'https://login.domain/adfs', RedirectUri:'http://localhost
:8405/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.domain/openid ] ParentRequestId: 
DEBUG: Executing interactive authentication workflow inline.
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.domain/openid ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
 ---> System.ArgumentNullException (0x80004003): Value cannot be null.
Parameter name: tenantId
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Environment 'Foo' -Tenant '98b8267d-e97f-426e ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
 
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]
.
DEBUG: 1:55:16 AM - [ConfigManager] Got [Off] from [LoginExperienceV2], Module = [], Cmdlet = [].
DEBUG: 1:55:16 AM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:4.0.0; CommandName: Connect-AzAccount; PSVersion: 5.1.20348.2031; IsSuccess: False; Duration: 00:0
0:00.4483324; SanitizeDuration: 00:00:00; Exception: InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found in the provided tenant domain.;
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:55:16 AM - ConnectAzureRmAccountCommand end processing.

Environment data

PS C:\> $PSVersionTable

Name                           Value                                                                                                        
----                           -----                                                                                                        
PSVersion                      5.1.20348.2031                                                                                               
PSEdition                      Desktop                                                                                                      
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                      
BuildVersion                   10.0.20348.2031                                                                                              
CLRVersion                     4.0.30319.42000                                                                                              
WSManStackVersion              3.0                                                                                                          
PSRemotingProtocolVersion      2.3                                                                                                          
SerializationVersion           1.1.0.1

Module versions

PS C:\> Get-Module Az*

ModuleType Version    Name                                ExportedCommands                                                                  
---------- -------    ----                                ----------------                                                                  
Script     4.0.0      Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}

Error output

PS C:\> Resolve-AzError
DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:25:40 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 2:25:40 AM - using account id 'fb05dcc3-f65d-4f89-bc32-b1e0f8cd8378'...
DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].


   HistoryId: 20


Message        : InteractiveBrowserCredential authentication failed: Value cannot be null.
                 Parameter name: tenantId
                 Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found in the provided tenant domain.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, 
                 IOpenIDConfiguration openIDConfigDoc, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope, Boolean IsInteractiveContextSelectionEnabled)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass134_2.<ExecuteCmdlet>b__7()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.Tasks.Task.Execute()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass134_1.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentNullException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e-8b3f-7956511fd63f -Verbose
Position       : At line:1 char:1
                 + Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20

DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
Message        : InteractiveBrowserCredential authentication failed: Value cannot be null.
                 Parameter name: tenantId
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
                    at Azure.Identity.InteractiveBrowserCredential.<AuthenticateImplAsync>d__51.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.InteractiveBrowserCredential.<AuthenticateAsync>d__48.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__34.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, 
                 String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, 
                 IOpenIDConfiguration openIDConfigDoc, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope, Boolean IsInteractiveContextSelectionEnabled)
Exception      : Azure.Identity.AuthenticationFailedException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e-8b3f-7956511fd63f -Verbose
Position       : At line:1 char:1
                 + Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20

DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
Message        : Value cannot be null.
                 Parameter name: tenantId
StackTrace     :    at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.WithTenantId(String tenantId)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenInteractiveCoreAsync>d__15.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenInteractiveAsync>d__14.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.InteractiveBrowserCredential.<GetTokenViaBrowserLoginAsync>d__53.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.InteractiveBrowserCredential.<AuthenticateImplAsync>d__51.MoveNext()
Exception      : System.ArgumentNullException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e-8b3f-7956511fd63f -Verbose
Position       : At line:1 char:1
                 + Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20
@keystroke keystroke added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jan 8, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jan 8, 2025
@keystroke
Copy link
Author

Same thing using 'adfs' for the tenantId:

PS C:\> Connect-AzAccount -Environment Foo -Tenant adfs -Verbose
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 2:28:48 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 2:28:48 AM - Using Autosave scope 'CurrentUser'
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
VERBOSE: Performing the operation "log in" on target "User account in environment 'Foo'".
DEBUG: 2:28:48 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 2:28:48 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 2:28:48 AM - Using Autosave scope 'CurrentUser'
Please select the account you want to login with.

DEBUG: 2:28:48 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'adfs', Scopes:'https://management.domain/openid', AuthorityHost:'https://login.domain/adfs', RedirectUri:'http://localhost:
8405/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.domain/openid ] ParentRequestId: 
DEBUG: Executing interactive authentication workflow inline.
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.domain/openid ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
 ---> System.ArgumentNullException (0x80004003): Value cannot be null.
Parameter name: tenantId
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain 'adfs'. Please ensure that the provided user is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Environment Foo -Tenant adfs -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
 
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - [ConfigManager] Got [Off] from [LoginExperienceV2], Module = [], Cmdlet = [].
DEBUG: 2:28:48 AM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:4.0.0; CommandName: Connect-AzAccount; PSVersion: 5.1.20348.2031; IsSuccess: False; Duration: 00:00:00.1419362; SanitizeDuration: 00:00:00; Exception: InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain 'adfs'. Please ensure that the provided user is found in the provided tenant domain.;
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - ConnectAzureRmAccountCommand end processing.

@keystroke
Copy link
Author

Here is environment configuration:

PS C:\> Get-AzEnvironment -Name Azure.local | fl *

Name                                              : Foo
Type                                              : User-defined
EnableAdfsAuthentication                          : True
OnPremise                                         : True
ActiveDirectoryServiceEndpointResourceId          : https://managment.domain
AdTenant                                          : 98b8267d-e97f-426e-8b3f-7956511fd63f
GalleryUrl                                        : 
ManagementPortalUrl                               : 
ServiceManagementUrl                              : 
PublishSettingsFileUrl                            : 
ResourceManagerUrl                                : https://managment.domain
SqlDatabaseDnsSuffix                              : 
StorageEndpointSuffix                             : domain
ActiveDirectoryAuthority                          : https://login.domain/adfs
GraphUrl                                          : https://graph.domain
GraphEndpointResourceId                           : 
TrafficManagerDnsSuffix                           : 
AzureKeyVaultDnsSuffix                            : .vault.domain
DataLakeEndpointResourceId                        : 
AzureDataLakeStoreFileSystemEndpointSuffix        : 
AzureDataLakeAnalyticsCatalogAndJobEndpointSuffix : 
AzureKeyVaultServiceEndpointResourceId            : 
ContainerRegistryEndpointSuffix                   : .edgeacr.domain
AzureOperationalInsightsEndpointResourceId        : 
AzureOperationalInsightsEndpoint                  : 
AzureAnalysisServicesEndpointSuffix               : 
AnalysisServicesEndpointResourceId                : 
AzureAttestationServiceEndpointSuffix             : 
AzureAttestationServiceEndpointResourceId         : 
AzureSynapseAnalyticsEndpointSuffix               : 
AzureSynapseAnalyticsEndpointResourceId           : 
VersionProfiles                                   : {}
ExtendedProperties                                : {[MicrosoftGraphEndpointResourceId, https://graph.domain]}
BatchEndpointResourceId                           :

@keystroke keystroke changed the title Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null. Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f' [ADFS] [Edge] [AzureStack] Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null. Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f' Jan 8, 2025
@isra-fel
Copy link
Member

isra-fel commented Jan 8, 2025

Depending on Azure/azure-sdk-for-net#47584

@isra-fel isra-fel added Azure PS Team Azure Stack Accounts Issues in Az.Accounts except authentication related Tracking We will track status and follow internally labels Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Accounts Issues in Az.Accounts except authentication related Azure PS Team Azure Stack bug This issue requires a change to an existing behavior in the product in order to be resolved. Tracking We will track status and follow internally
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@keystroke @isra-fel