我有一个多租户Azure AD应用程序。它运行良好超过一年。假设该应用程序由“Azure”Azure AD租户发布。如果我使用“corp”租户中的帐户登录应用程序,则应用程序将按预期工作。但是,如果我使用来自其他租户的帐户访问该应用程序,则会收到错误消息
“未找到证书的设备证书 当局:OU = 82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN = MS-组织存取,DC =窗户,DC =净“
我发现this article看起来与我看到的问题非常相似。我们最近在“corp”Azure AD租户中启用了条件访问,但不是专门针对此应用程序。我尝试将ADAL更新到版本3.19.2,但错误仍然存在。
应用程序在我的开发环境中使用测试Azure AD工作。我认为ADAL对我公司AAD租户的条件接入政策存在某种问题。但是,由于此应用程序没有特别的CA策略,我甚至不确定为什么它会尝试访问设备证书以验证设备是否在AAD中注册。
错误详情
说明:
执行当前期间发生了未处理的异常 网络请求。请查看堆栈跟踪以获取更多信息 错误以及它在代码中的起源。
例外详细信息:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException:Device 证书未找到证书 当局:OU = 82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN = MS-组织存取,DC =窗户,DC =净
完整堆栈跟踪:
[AdalException: Device Certificate was not found for Cert Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net]
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.DeviceAuthHelper.FindCertificateByCertAuthorities(IDictionary`2 challengeData, X509Certificate2Collection certCollection) +710
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.DeviceAuthHelper.FindCertificate(IDictionary`2 challengeData) +138
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.<CreateDeviceAuthChallengeResponseAsync>d__2.MoveNext() +144
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<HandleDeviceAuthChallengeAsync>d__25`1.MoveNext() +479
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<GetResponseAsync>d__22`1.MoveNext() +3220
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<GetResponseAsync>d__21`1.MoveNext() +359
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<SendHttpMessageAsync>d__72.MoveNext() +401
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<SendTokenRequestAsync>d__69.MoveNext() +415
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<CheckAndAcquireTokenUsingBrokerAsync>d__59.MoveNext() +605
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<RunAsync>d__57.MoveNext() +4005
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.<AcquireTokenCommonAsync>d__37.MoveNext() +451
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.<AcquireTokenAsync>d__0.MoveNext() +313
[AggregateException: One or more errors occurred.]
System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) +116
AvanadeExternalAccess.Utils.AzureADAuthHelper.GetAuthResult() +397
AvanadeExternalAccess.Utils.InvitationManager.GetUrl(Invitation Invite) +24
AvanadeExternalAccess.Controllers.HomeController.Index() +616
lambda_method(Closure , ControllerBase , Object[] ) +87
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +1180
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +1366
System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +40
System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +74
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +43
System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +72
System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +385
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +43
System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +30
System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +185
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +39
System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +29
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +70
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +52
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +36
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +39
System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +43
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +70
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +39
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +649
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +213
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +131
答案 0 :(得分:1)
仅在Azure A2中使用基于设备的条件的资源发生该错误。例如,我们有Exchange Online和SharePoint Online的CA策略,对于任何位置,设备必须是Compliant或Hybrid Azure-AD加入。但是,这是变得复杂的地方,任何调用应用条件访问的服务/应用程序的资源或应用程序,也必须具有相同或更高的CA策略才能将该标头信息传递给您正在访问的资源。这是详细here。
答案 1 :(得分:0)
此错误可以表示用户已启用条件访问,并且需要加入域的设备。目前,ADAL目前不支持此方案。指导是仅使用MFA,而无需加入域的设备。 ADAL不具有Windows 10 WAM证书支持,这将允许加入域的设备和MFA进行身份验证。这是积压的。为问题here投票,以帮助评估影响和客户兴趣。
答案 2 :(得分:0)
发生此错误是因为您的VM未加入Azure AD域。如果它在之前工作过然后停止工作,那是因为您的公司已实施了新政策。
运行Powershell脚本时,我遇到了类似的问题。我试图访问 AZ.KeyVault 和 Get-AzKeyVaultSecret 。安装本地数据网关时,我也遇到了问题。
重要提示:要执行以下步骤,必须使用Azure AD中存在的帐户登录到VM,您可以尝试使用个人帐户。如果您使用的是服务帐户,则很有可能该服务帐户不在Azure AD中。
再试一次,它应该可以工作。 干杯