我们有一个Azure网络应用程序,通过Azure Multifactor身份验证进行身份验证,并访问Graph API和Power BI。我们已在Azure App注册上设置了所需的权限。我们使用Redis缓存在NaiveSessionCache中存储令牌详细信息。对于少数用户,当用户尝试登录时,我们收到以下错误。
AADSTS50079:用户需要使用多重身份验证
&#34; AADSTS50079:用户需要使用多重身份验证。\ r \ nTrace ID:63c180a9-6951-4a8a-96ca-e1ff38fc4400 \ r \ n相关ID:3f12d4b1-d401-4d99-be30-36bf972d74a5 \ r \ n时间戳:2017-08-21 14:21:59Z&#34;,&#34; parsedStack&#34;:[{&#34; assembly&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory ,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35&#34;,&#34; method&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient + d__21 1.MoveNext","level":0,"line":0},{"assembly":"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess","level":1,"line":0},{"assembly":"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","method":"System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification","level":2,"line":0},{"assembly":"Microsoft.IdentityModel.Clients.ActiveDirectory, Version=3.13.9.1126, Culture=neutral, PublicKeyToken=31bf3856ad364e35","method":"Microsoft.IdentityModel.Clients.ActiveDirectory.AdalHttpClient+<GetResponseAsync>d__20
1.MoveNext& #34;,&#34; level&#34;:3,&#34; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess&#34;,&#34; level&#34;:4,&#34 ; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34; :&#34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification&#34;&#34;利el&#34;:5,&#34; line&#34;:0},{&#34; assembly&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral ,PublicKeyToken = 31bf3856ad364e35&#34;,&#34;方法&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__67.MoveNext&#34;,&#34; level&#34;:6,& #34; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&# 34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess&#34;&#34;电平&#34;:7,&#34;线&#34;:0},{&#34;组装&# 34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification&#34 ;,&#34; level&#34;:8,&#34; line&#34;:0},{&#34; assembly&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13 .9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35&#34;,&#34; method&#34;:&#34; Microsoft.Identit yModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__64.MoveNext&#34;&#34;电平&#34;:9,&#34;线&#34;:0},{&#34;组装&#34;:&# 34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess&#34;,&#34 ; level&#34;:10,&#34; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&# 34;,&#34;方法&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification&#34;&#34;电平&#34;:11,&#34;线&#34;:0 },{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34;:&#34; System。 Runtime.CompilerServices.TaskAwaiter.ValidateEnd&#34;&#34;电平&#34;:12,&#34;线&#34;:0},{&#34;组装&#34;:&#34;微软。 IdentityModel.Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35&#34;,&#34; method&#34;:&#34; Micro soft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase + d__55.MoveNext&#34;&#34;电平&#34;:13,&#34;线&#34;:0},{&#34;组装&#34 ;: &#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess&#34;,& #34; level&#34;:14,&#34; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;&#34;方法&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification&#34;&#34;电平&#34;:15,&#34;线&#34; :0},{&#34; assembly&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35&#34;,&#34; method&#34 ;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext + d__48.MoveNext&#34;&#34;电平&#34;:16,&#34;线&#34;:0},{&#34 ; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,PublicKeyToken = b77a5c5 61934e089&#34;&#34;方法&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess&#34;&#34;电平&#34;:17,&#34;线&#34; :0},{&#34;汇编&#34;:&#34; mscorlib,版本= 4.0.0.0,文化=中立,PublicKeyToken = b77a5c561934e089&#34;,&#34;方法&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification&#34;&#34;电平&#34;:18,&#34;线&#34;:0},{&#34;组装&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory,Version = 3.13.9.1126,Culture = neutral,PublicKeyToken = 31bf3856ad364e35&#34;,&#34; method&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext + d__30。 MoveNext&#34;,&#34; level&#34;:19,&#34; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0, Culture = neutral,PublicKeyToken = b77a5c561934e089&#34;,&#34; method&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess&#34;,&#34; level&#34;:20,&# 34; line&#34;:0},{&#34; assembly&#34;:&#34; mscorlib,Version = 4.0.0.0,Culture = neutral,Publ icKeyToken = b77a5c561934e089&#34;&#34;方法&#34;:&#34; System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification&#34;&#34;电平&#34;:21,&#34;线&# 34;:0},{&#34;汇编&#34;:&#34;汇编,版本= 1.0.0.0,文化=中立,PublicKeyToken = null&#34;,&#34;方法&#34;:&# 34;启动+ LT;&以及c + LT; b__8_0&GT; d.MoveNext&#34;&#34;电平&#34;:22,&#34;线&#34;:68,&#34;文件名&#34 ;:&#34; App_Start \ Startup.Auth.cs&#34;}],&#34;类型&#34;:&#34; Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException&#34;&#34;&ID #34;:&#34; 52129856&#34;
以下是用于接收授权码的startup.cs文件。
public void ConfigureAuth(IAppBuilder app){ 尝试 {
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
AuthenticationMode = AuthenticationMode.Active,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = async (context) =>
{
try {
IConnectionString _connectionString = new RedisConnectionString(ConfigurationReader.RedisCacheConfig as string);
ICacheManager cacheManager = new RedisCacheManager(_connectionString);
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(Constants.OBJECT_IDENTIFIER).Value;
AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(signedInUserID));
//Getting Power BI token
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, pbiResourceID);
//Getting Graph token
AuthenticationResult graphResult = await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
UserTokenCache cache = new UserTokenCache
{
GraphAccessToken = graphResult.AccessToken,
PBIAccessToken = result.AccessToken,
PBITokenExpires = result.ExpiresOn,
GraphTokenExpires = graphResult.ExpiresOn
};
string encryptedCache = CryptographyUtility.Encrypt(JsonConvert.SerializeObject(cache));
cacheManager.set(signedInUserID, encryptedCache);
} catch (Exception ex)
{
ExceptionLogger.LogInApplicationInsight(ex);
}
},
AuthenticationFailed = async (context) =>
{
ExceptionLogger.LogInApplicationInsight(context.Exception);
await Task.FromResult(0);
}
}
});
}
catch (SystemException sx)
{
ExceptionLogger.LogInApplicationInsight(sx);
}
catch (ApplicationException ax)
{
ExceptionLogger.LogInApplicationInsight(ax);
}
catch (Exception ex)
{
ExceptionLogger.LogInApplicationInsight(ex);
}
}
我在这里遗漏了什么吗?由于这一点,很少有用户无法获得令牌,并且未加载嵌入式Power BI报告
答案 0 :(得分:5)
此错误表示用户需要注册或执行多重身份验证。
500079
:注册MFA
500076
:用户必须执行MFA
要解决这两个问题,请使用相同的协议。您的应用需要执行指定失败资源的交互式请求。
让我们说你试图获得需要MFA的Microsoft Graph令牌。您可能已经为其他资源授予了刷新令牌(或者已经登录而未请求资源),然后您向Azure AD请求Microsoft Graph的新令牌。此请求位于/token
端点,该端点是POST,无法执行MFA。然后,您的应用程序应捕获此错误,并执行新请求(使用AcquireToken或OWIN OpenId Connect挑战),要求resource=https://graph.microsoft.com
或任何资源失败。