Question

我们有一个Azure网络应用程序，通过Azure Multifactor身份验证进行身份验证，并访问Graph API和Power BI。我们已在Azure App注册上设置了所需的权限。我们使用Redis缓存在NaiveSessionCache中存储令牌详细信息。对于少数用户，当用户尝试登录时，我们收到以下错误。

AADSTS50079：用户需要使用多重身份验证

＆＃34; AADSTS50079：用户需要使用多重身份验证。\ r \ nTrace ID：63c180a9-6951-4a8a-96ca-e1ff38fc4400 \ r \ n相关ID：3f12d4b1-d401-4d99-be30-36bf972d74a5 \ r \ n时间戳：2017-08-21 14：21：59Z＆＃34;，＆＃34; parsedStack＆＃34;：[{＆＃34; assembly＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory ，Version = 3.13.9.1126，Culture = neutral，PublicKeyToken = 31bf3856ad364e35＆＃34;，＆＃34; method＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient + d__21 1.MoveNext","level":0,"line":0},{"assembly":"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":1,"line":0},{"assembly":"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":2,"line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.13.9.1126, Culture=neutral, PublicKeyToken=31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient+<GetResponseAsync>d__20 1.MoveNext＆＃34;，＆＃34; level＆＃34;：3，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess＆＃34;，＆＃34; level＆＃34;：4，＆＃34 ; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34; ：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification＆＃34;＆＃34;利el＆＃34;：5，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory，Version = 3.13.9.1126，Culture = neutral ，PublicKeyToken = 31bf3856ad364e35＆＃34;，＆＃34;方法＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__67.MoveNext＆＃34;，＆＃34; level＆＃34;：6，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃ 34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess＆＃34;＆＃34;电平＆＃34;：7，＆＃34;线＆＃34;：0}，{＆＃34;组装＆＃ 34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification＆＃34 ;，＆＃34; level＆＃34;：8，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory，Version = 3.13 .9.1126，Culture = neutral，PublicKeyToken = 31bf3856ad364e35＆＃34;，＆＃34; method＆＃34;：＆＃34; Microsoft.Identit yModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__64.MoveNext＆＃34;＆＃34;电平＆＃34;：9，＆＃34;线＆＃34;：0}，{＆＃34;组装＆＃34;：＆＃ 34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess＆＃34;，＆＃34 ; level＆＃34;：10，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃ 34;，＆＃34;方法＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification＆＃34;＆＃34;电平＆＃34;：11，＆＃34;线＆＃34;：0 }，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34;：＆＃34; System。 Runtime.CompilerServices.TaskAwaiter.ValidateEnd＆＃34;＆＃34;电平＆＃34;：12，＆＃34;线＆＃34;：0}，{＆＃34;组装＆＃34;：＆＃34;微软。 IdentityModel.Clients.ActiveDirectory，Version = 3.13.9.1126，Culture = neutral，PublicKeyToken = 31bf3856ad364e35＆＃34;，＆＃34; method＆＃34;：＆＃34; Micro soft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__55.MoveNext＆＃34;＆＃34;电平＆＃34;：13，＆＃34;线＆＃34;：0}，{＆＃34;组装＆＃34 ;: ＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess＆＃34;，＆＃34; level＆＃34;：14，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;＆＃34;方法＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification＆＃34;＆＃34;电平＆＃34;：15，＆＃34;线＆＃34; ：0}，{＆＃34; assembly＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory，Version = 3.13.9.1126，Culture = neutral，PublicKeyToken = 31bf3856ad364e35＆＃34;，＆＃34; method＆＃34 ;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext + d__48.MoveNext＆＃34;＆＃34;电平＆＃34;：16，＆＃34;线＆＃34;：0}，{＆＃34 ; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，PublicKeyToken = b77a5c5 61934e089＆＃34;＆＃34;方法＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess＆＃34;＆＃34;电平＆＃34;：17，＆＃34;线＆＃34; ：0}，{＆＃34;汇编＆＃34;：＆＃34; mscorlib，版本= 4.0.0.0，文化=中立，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34;方法＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification＆＃34;＆＃34;电平＆＃34;：18，＆＃34;线＆＃34;：0}，{＆＃34;组装＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory，Version = 3.13.9.1126，Culture = neutral，PublicKeyToken = 31bf3856ad364e35＆＃34;，＆＃34; method＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext + d__30。 MoveNext＆＃34;，＆＃34; level＆＃34;：19，＆＃34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0， Culture = neutral，PublicKeyToken = b77a5c561934e089＆＃34;，＆＃34; method＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess＆＃34;，＆＃34; level＆＃34;：20，＆＃ 34; line＆＃34;：0}，{＆＃34; assembly＆＃34;：＆＃34; mscorlib，Version = 4.0.0.0，Culture = neutral，Publ icKeyToken = b77a5c561934e089＆＃34;＆＃34;方法＆＃34;：＆＃34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification＆＃34;＆＃34;电平＆＃34;：21，＆＃34;线＆＃ 34;：0}，{＆＃34;汇编＆＃34;：＆＃34;汇编，版本= 1.0.0.0，文化=中立，PublicKeyToken = null＆＃34;，＆＃34;方法＆＃34;：＆＃ 34;启动+ LT;＆以及c + LT; b__8_0＆GT; d.MoveNext＆＃34;＆＃34;电平＆＃34;：22，＆＃34;线＆＃34;：68，＆＃34;文件名＆＃34 ;：＆＃34; App_Start \ Startup.Auth.cs＆＃34;}]，＆＃34;类型＆＃34;：＆＃34; Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException＆＃34;＆＃34;＆ID ＃34;：＆＃34; 52129856＆＃34;

以下是用于接收授权码的startup.cs文件。

public void ConfigureAuth（IAppBuilder app）{ 尝试 {

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = Authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    AuthenticationMode = AuthenticationMode.Active,
                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                        AuthorizationCodeReceived = async (context) =>
                        {
                            try {
                                IConnectionString _connectionString = new RedisConnectionString(ConfigurationReader.RedisCacheConfig as string);

                                ICacheManager cacheManager = new RedisCacheManager(_connectionString);
                                var code = context.Code;
                                ClientCredential credential = new ClientCredential(clientId, appKey);
                                string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(Constants.OBJECT_IDENTIFIER).Value;

                                AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(signedInUserID));
                                //Getting Power BI token
                                AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                                    code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, pbiResourceID);

                                //Getting Graph token
                                AuthenticationResult graphResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
                                    code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
                                UserTokenCache cache = new UserTokenCache
                                {
                                    GraphAccessToken = graphResult.AccessToken,
                                    PBIAccessToken = result.AccessToken,
                                    PBITokenExpires = result.ExpiresOn,
                                    GraphTokenExpires = graphResult.ExpiresOn
                                };

                                string encryptedCache = CryptographyUtility.Encrypt(JsonConvert.SerializeObject(cache));

                                cacheManager.set(signedInUserID, encryptedCache);
                            } catch (Exception ex)
                            {
                                ExceptionLogger.LogInApplicationInsight(ex);
                            }
                        },
                        AuthenticationFailed = async (context) =>
                        {
                            ExceptionLogger.LogInApplicationInsight(context.Exception);
                            await Task.FromResult(0);
                        }

                    }
                });
        }
        catch (SystemException sx)
        {
            ExceptionLogger.LogInApplicationInsight(sx);
        }
        catch (ApplicationException ax)
        {
            ExceptionLogger.LogInApplicationInsight(ax);
        }
        catch (Exception ex)
        {
            ExceptionLogger.LogInApplicationInsight(ex);
        }
    }

我在这里遗漏了什么吗？由于这一点，很少有用户无法获得令牌，并且未加载嵌入式Power BI报告

Answer 1

此错误表示用户需要注册或执行多重身份验证。

500079：注册MFA

500076：用户必须执行MFA

要解决这两个问题，请使用相同的协议。您的应用需要执行指定失败资源的交互式请求。

让我们说你试图获得需要MFA的Microsoft Graph令牌。您可能已经为其他资源授予了刷新令牌（或者已经登录而未请求资源），然后您向Azure AD请求Microsoft Graph的新令牌。此请求位于/token端点，该端点是POST，无法执行MFA。然后，您的应用程序应捕获此错误，并执行新请求（使用AcquireToken或OWIN OpenId Connect挑战），要求resource=https://graph.microsoft.com或任何资源失败。

使用＆＃39; AADSTS50079登录Azure Web应用程序失败：用户需要使用多重身份验证＆＃39;

1 个答案: