Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The challenge resource does not match the requested domain #30352

Open
TheOnlyWei opened this issue Nov 14, 2024 · 2 comments
Open

The challenge resource does not match the requested domain #30352

TheOnlyWei opened this issue Nov 14, 2024 · 2 comments
Assignees
@evelyn-ys
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team KeyVault az keyvault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Milestone
Backlog

Comments

@TheOnlyWei
Copy link

TheOnlyWei commented Nov 14, 2024
edited
Loading

Describe the bug

I am using the nightly build (https://aka.ms/InstallAzureCliWindowsEdge) of Azure CLI. I am running on an Azure Stack Hub on-premises environment and constantly getting the following error after running az keyvault secret set --name $secretName --vault-name $keyVaultName --value $secretValue or az keyvault secret list --vault-name $keyVaultName:

az : ERROR: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to disable 
this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
At line:1 char:1
+ az keyvault secret set --name $kvSecretName --vault-name $keyVaultNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (ERROR: The chal...re information.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

The error provides a guidance link for using Key Vault library:
https://devblogs.microsoft.com/azure-sdk/guidance-for-applications-using-the-key-vault-libraries/

It seems the Python SDK that Azure CLI is using needs to be reconfigured with verify_challenge_resource=False.

@evelyn-ys The verify_challenge_resource=False seems to be removed from a recent commit by you:
7506f6a#diff-43e8fd41c5f3cf4adf60013c63cf281be32af25ceadfde705d279fa917017dc6L257****

Related command

az keyvault secret set --name $secretName --vault-name $keyVaultName --value $secretValue
az keyvault secret list --vault-name $keyVaultName
...etc

Errors

az : ERROR: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to disable 
this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
At line:1 char:1
+ az keyvault secret set --name $kvSecretName --vault-name $keyVaultNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (ERROR: The chal...re information.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Issue script & Debug output

az : DEBUG: cli.knack.log: File logging enabled - writing logs to 'C:\CloudDeployment\BVTs\Output\AZSDKTOOLSCTQ\CLITestLogs'.
At line:1 char:1
+ az keyvault secret list --vault-name $keyVaultName --debug
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (DEBUG: cli.knac...Q\CLITestLogs'.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
DEBUG: cli.knack.cli: Command arguments: ['keyvault', 'secret', 'list', '--vault-name', 'clicanurgkv', '--debug']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x01F02A78>, <function OutputProducer.on_global_arguments at 0x02142618>, <function 
CLIQuery.on_global_arguments at 0x02149118>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands
DEBUG: cli.azure.cli.core: keyvault                  0.010        11        71
DEBUG: cli.azure.cli.core: Total (1)                 0.010        11        71
DEBUG: cli.azure.cli.core: Loaded 11 groups, 71 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command  : keyvault secret list
DEBUG: cli.azure.cli.core: Command table: keyvault secret list
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x040E9528>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Administrator.N42R1103-DVM\.azure\commands\2024-11-14.08-35-36.keyvault_secret_list.2940.log'.
INFO: az_command_data_logger: command args: keyvault secret list --vault-name {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x0410D258>]
DEBUG: cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 656, in _get_attr
AttributeError: module 'azure.mgmt.keyvault.v2016_10_01.models' has no attribute 'NetworkRuleBypassOptions'

DEBUG: cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 656, in _get_attr
AttributeError: module 'azure.mgmt.keyvault.v2016_10_01.models' has no attribute 'NetworkRuleAction'

DEBUG: cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 656, in _get_attr
AttributeError: module 'azure.mgmt.keyvault.v2016_10_01.models' has no attribute 'PublicNetworkAccess'

DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x041392F8>, <function 
register_cache_arguments.<locals>.add_cache_arguments at 0x04139398>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x041393E8>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02142668>, <function CLIQuery.handle_query_parameter at 0x02149168>, <function 
register_ids_argument.<locals>.parse_ids_arguments at 0x04139348>]
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\Administrator.N42R1103-DVM\\.azure\\msal_token_cache.bin', encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\Administrator.N42R1103-DVM\.azure\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs
DEBUG: msal.authority: openid_config("https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/.well-known/openid-configuration") = {'issuer': 
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/bdda779d-3231-4e05-b026-f4d5989a92be/', 'authorization_endpoint': 
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/authorize/', 'token_endpoint': 'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/token/', 'jwks_uri': 
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/discovery/keys', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'private_key_jwt', 
'windows_client_authentication'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token', 'code token', 'code id_token token'], 'response_modes_supported': ['query', 
'fragment', 'form_post'], 'grant_types_supported': ['authorization_code', 'refresh_token', 'client_credentials', 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'implicit', 'password', 'srv_challenge', 
'urn:ietf:params:oauth:grant-type:device_code', 'device_code'], 'subject_types_supported': ['pairwise'], 'scopes_supported': ['email', 'openid', 'vpn_cert', 'user_impersonation', 'winhello_cert', 
'allatclaims', 'logon_cert', '.default', 'profile', 'aza'], 'id_token_signing_alg_values_supported': ['RS256'], 'token_endpoint_auth_signing_alg_values_supported': ['RS256'], 'access_token_issuer': 
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/bdda779d-3231-4e05-b026-f4d5989a92be/', 'claims_supported': ['aud', 'iss', 'iat', 'exp', 'auth_time', 'nonce', 'at_hash', 'c_hash', 
'sub', 'upn', 'unique_name', 'pwd_url', 'pwd_exp', 'mfa_auth_time', 'sid', 'nbf'], 'microsoft_multi_refresh_token': True, 'userinfo_endpoint': 
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/userinfo', 'capabilities': ['kdf_ver2'], 'end_session_endpoint': 
'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/logout', 'as_access_token_token_binding_supported': False, 'as_refresh_token_token_binding_supported': False, 
'resource_access_token_token_binding_supported': False, 'op_id_token_token_binding_supported': False, 'rp_id_token_token_binding_supported': False, 'frontchannel_logout_supported': True, 
'frontchannel_logout_session_supported': True, 'device_authorization_endpoint': 'https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/oauth2/devicecode'}
DEBUG: msal.application: Broker enabled? False
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://clicanurgkv.vault.redmond.ext-n42r1103.masd.stbtest.microsoft.com/secrets?api-version=2016-10-01'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6bc52e2c-a263-11ef-919b-00155d747ebe'
DEBUG: cli.azure.cli.core.sdk.policies:     'CommandName': 'keyvault secret list'
DEBUG: cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--vault-name --debug'
DEBUG: cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.67.0 (MSI) azsdk-python-core/1.31.0 Python/3.12.7 (Windows-2022Server-10.0.20348-SP0)'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): clicanurgkv.vault.redmond.ext-n42r1103.masd.stbtest.microsoft.com:443
DEBUG: urllib3.connectionpool: https://clicanurgkv.vault.redmond.ext-n42r1103.masd.stbtest.microsoft.com:443 "GET /secrets?api-version=2016-10-01 HTTP/1.1" 401 87
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 401
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Length': '87'
DEBUG: cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies:     'Server': 'Microsoft-HTTPAPI/2.0'
DEBUG: cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-region': 'redmond'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '6bc52e2c-a263-11ef-919b-00155d747ebe'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'cf29485a-cb96-4ca4-9e68-70e0afa7b568'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-service-version': '1.4.02047.584'
DEBUG: cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-network-info': 'conn_type=Ipv4;addr=100.83.116.123;act_addr_fam=InterNetwork;'
DEBUG: cli.azure.cli.core.sdk.policies:     'WWW-Authenticate': 'Bearer authorization="https://adfs.redmond.ext-n42r1103.masd.stbtest.microsoft.com/adfs/bdda779d-3231-4e05-b026-f4d5989a92be", 
resource="https://vault.adfs.n42r1103.masd.stbtest.microsoft.com/bdda779d-3231-4e05-b026-f4d5989a92be"'
DEBUG: cli.azure.cli.core.sdk.policies:     'Date': 'Thu, 14 Nov 2024 08:35:37 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 113, in keyvault_command_handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 12, in _multi_transformers
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 29, in filter_out_managed_resources
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 123, in __next__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 75, in __next__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/secrets/_generated/v2016_10_01/operations/_key_vault_client_operations.py", line 4591, in get_next
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 229, in run
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 86, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 86, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 86, in send
  [Previous line repeated 2 more times]
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_redirect.py", line 197, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_retry.py", line 532, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_authentication.py", line 156, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 104, in on_challenge
ValueError: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to disable 
this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 703, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 336, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
knack.util.CLIError: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's constructor to 
disable this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.

ERROR: cli.azure.cli.core.azclierror: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your 
client's constructor to disable this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
ERROR: az_command_data_logger: The challenge resource 'vault.adfs.n42r1103.masd.stbtest.microsoft.com' does not match the requested domain. Pass `verify_challenge_resource=False` to your client's 
constructor to disable this verification. See https://aka.ms/azsdk/blog/vault-uri for more information.
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x040E9668>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.__main__: Command ran in 1.377 seconds (init: 0.353, invoke: 1.024)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 4086 in cache file under C:\Users\Administrator.N42R1103-DVM\.azure\telemetry\20241114083537610
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft 
SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\Administrator.N42R1103-DVM\.azure C:\Users\Administrator.N42R1103-DVM\.azure\telemetry\20241114083537610"
INFO: telemetry.process: Return from creating process 8084
INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

Should not throw an error on Azure Stack Hub on-premises environment with custom domains.

Environment Summary

azure-cli                         2.67.0
core                              2.67.0
telemetry                          1.1.0
Dependencies:
msal                              1.31.0
azure-mgmt-resource               23.1.1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\Administrator.N42R1103-DVM\.azure\cliextensions'

Python (Windows) 3.12.7 (tags/v3.12.7:0b05ead, Oct  1 2024, 02:44:45) [MSC v.1941 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response
@TheOnlyWei TheOnlyWei added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 14, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot KeyVault az keyvault labels Nov 14, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 14, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 14, 2024
@TheOnlyWei TheOnlyWei changed the title The challenge resource does not match the requested domain. The challenge resource does not match the requested domain Nov 14, 2024
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 14, 2024
@yonzhan yonzhan added this to the Backlog milestone Nov 14, 2024
@github-actions GitHub Actions
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evelyn-ys evelyn-ys

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team KeyVault az keyvault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@evelyn-ys @TheOnlyWei @yonzhan