401 Unauthorized - error="invalid_token", error_description="S2S17001: SAL was able to validate the protocol, but validation failed as none of the inbound policies were satisfied. Validation failures: 'AAD user inbound policy (prod): KeyWrapFailed'."
Closed this issue · 4 comments
fowl2 commented
My colleague is getting this error (originally just the 401 with no details in VS) using devtunnels.
Full `devtunnel list -v` output
(Username and tenant ID redacted)C:\Users\REDACTED_USERNAME>devtunnel list -v
Using token cache file: C:\Users\REDACTED_USERNAME\AppData\Local\DevTunnels\devtunnels-tokens-github
MSAL-Cache: Initialized 'Storage'
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'False'
MSAL-Cache: Got '0' bytes from file storage
Using client AppId: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
Using token cache file: C:\Users\REDACTED_USERNAME\AppData\Local\DevTunnels\devtunnels-tokens-microsoft
MSAL-Cache: Initialized 'Storage'
MSAL-Cache: Registering token cache with on disk storage
MSAL-Cache: Done initializing
MSAL: [Cache Session Manager] Entering the cache semaphore. Real semaphore: True. Count: 1
MSAL: [Cache Session Manager] Entered cache semaphore
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'True'
MSAL-Cache: Read '3378' bytes from the file
MSAL-Cache: Unprotecting the data
MSAL-Cache: Got '3233' bytes from file storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access
MSAL: [Microsoft.Identity.Client.Extensions] After access
MSAL-Cache: Released lock
MSAL: [Cache Session Manager] Released cache semaphore
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache after environment filtering.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: Found 0 cache accounts and 0 broker accounts
MSAL: Returning 0 accounts
Using client AppId: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
MSAL-Cache: Registering token cache with on disk storage
MSAL-Cache: Done initializing
MSAL: [Cache Session Manager] Entering the cache semaphore. Real semaphore: True. Count: 1
MSAL: [Cache Session Manager] Entered cache semaphore
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'True'
MSAL-Cache: Read '3378' bytes from the file
MSAL-Cache: Unprotecting the data
MSAL-Cache: Got '3233' bytes from file storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access
MSAL: [Microsoft.Identity.Client.Extensions] After access
MSAL-Cache: Released lock
MSAL: [Cache Session Manager] Released cache semaphore
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: [GetAccounts] Found 0 RTs and 1 accounts in MSAL cache after environment filtering.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: IsLegacyAdalCacheEnabled: yes
MSAL: [RuntimeBroker] WAM supported OS.
MSAL: [RuntimeBroker] MsalRuntime initialization successful.
MSAL: [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
MSAL: Filtering broker accounts by environment. Before filtering: 0
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: [Instance Discovery] Tried to use known metadata provider for login.microsoftonline.com. Success? True.
MSAL: After filtering: 0
MSAL: Found 1 cache accounts and 0 broker accounts
MSAL: Returning 1 accounts
MSAL: MSAL MSAL.NetCore with assembly version '4.55.0.0'. CorrelationId(f8352260-1a6f-439b-a8a9-29f437487ccd)
MSAL: === AcquireTokenSilent Parameters ===
MSAL: LoginHint provided: False
MSAL: Account provided: True
MSAL: ForceRefresh: False
MSAL:
=== Request Data ===
Authority Provided? - True
Scopes - 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - f8352260-1a6f-439b-a8a9-29f437487ccd
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
MSAL: === Token Acquisition (SilentRequest) started:
Scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
Authority Host: login.microsoftonline.com
MSAL: Broker is configured and enabled, attempting to use broker instead.
MSAL: [RuntimeBroker] WAM supported OS.
MSAL: [RuntimeBroker] MsalRuntime initialization successful.
MSAL: Can invoke broker. Will attempt to acquire token with broker.
MSAL: [RuntimeBroker] Acquiring token silently.
MSAL: [RuntimeBroker] Validating Common Auth Parameters.
MSAL: [WamBroker] Scopes were passed in the request.
MSAL: [WamBroker] Acquired Common Auth Parameters.
MSAL: [MSAL:0001] INFO LogTelemetryData:332 Printing Telemetry for Correlation ID: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: start_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: api_name, Value: ReadAccountById
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: was_request_throttled, Value: false
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: authority_type, Value: Unknown
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: msal_version, Value: 1.1.0+local
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: correlation_id, Value: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: stop_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: msalruntime_version, Value: 0.13.8
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: is_successful, Value: true
MSAL: [MSAL:0001] INFO LogTelemetryData:340 Key: request_duration, Value: 0
MSAL: [MSAL:0001] INFO SetCorrelationId:220 Set correlation ID: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0001] INFO EnqueueBackgroundRequest:677 The original authority is 'https://login.microsoftonline.com/REDACTED_TENANTID'
MSAL: [MSAL:0001] INFO ModifyAndValidateAuthParameters:182 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
MSAL: [MSAL:0001] INFO ModifyAndValidateAuthParameters:199 Authority Realm: REDACTED_TENANTID
MSAL: [MSAL:0002] INFO LogTelemetryData:332 Printing Telemetry for Correlation ID: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: start_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: api_name, Value: AcquireTokenSilently
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: was_request_throttled, Value: false
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: authority_type, Value: AAD
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: access_token_expiry_time, Value: 2024-09-09T06:22:46.000Z
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: read_token, Value: ID|AT
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: msal_version, Value: 1.1.0+local
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: client_id, Value: c0df98ca-23b4-4bce-bb9f-72039b28d3a5
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: correlation_id, Value: f8352260-1a6f-439b-a8a9-29f437487ccd
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: stop_time, Value: 2024-09-09T05:12:24.000Z
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: msalruntime_version, Value: 0.13.8
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: original_authority, Value: https://login.microsoftonline.com/REDACTED_TENANTID
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: request_eligible_for_broker, Value: true
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: broker_app_used, Value: false
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: additional_query_parameters_count, Value: 1
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: auth_flow, Value: AT
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: is_successful, Value: true
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: authorization_type, Value: WindowsIntegratedAuth
MSAL: [MSAL:0002] INFO LogTelemetryData:340 Key: request_duration, Value: 3
MSAL: [MSAL:0002] INFO LogTelemetryData:345 Printing Execution Flow:
MSAL: [MSAL:0002] INFO LogTelemetryData:353 {"t":"8b2yn","tid":2,"ts":0,"l":2},{"t":"8dqkx","tid":2,"ts":0,"l":2},{"t":"8dqik","tid":2,"ts":0,"l":2},{"t":"8b2ht","tid":2,"ts":0,"l":2},{"t":"7e60d","tid":2,"ts":0,"l":2,"a":2,"ie":0},{"t":"7e60e","tid":2,"ts":1,"l":2,"a":2,"ie":1},{"t":"8dqin","tid":2,"ts":1,"l":2},{"t":"7e60f","tid":2,"ts":1,"l":2,"a":2,"ie":0},{"t":"7e60g","tid":2,"ts":3,"l":2,"a":2,"ie":1},{"t":"7e60h","tid":2,"ts":3,"l":2,"a":2,"ie":0},{"t":"7e60i","tid":2,"ts":3,"l":2,"a":2,"ie":1},{"t":"8dqit","tid":2,"ts":3,"l":2},{"t":"6xuag","tid":2,"ts":3,"l":2}
MSAL: [WamBroker] WAM response status success
MSAL: [WamBroker] Successfully retrieved token.
MSAL: Checking MsalTokenResponse returned from broker.
MSAL: Success. Response contains an access token.
MSAL: Checking client info returned from the server..
MSAL: Saving token response to cache..
MSAL:
[MsalTokenResponse]
Error:
ErrorDescription:
Scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/all 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default
ExpiresIn: 4221
RefreshIn:
AccessToken returned: True
AccessToken Type: Bearer
RefreshToken returned: False
IdToken returned: True
ClientInfo returned: True
FamilyId:
WamAccountId exists: True
MSAL: [Instance Discovery] Instance discovery is enabled and will be performed
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False.
MSAL: Fetching instance discovery from the network from host login.microsoftonline.com.
MSAL: Starting [Oauth2Client] Sending GET request
MSAL: Starting [HttpManager] ExecuteAsync
MSAL: [HttpManager] Sending request. Method: GET. Host: https://login.microsoftonline.com.
MSAL: [HttpManager] Received response. Status code: OK.
MSAL: Finished [HttpManager] ExecuteAsync in 401 ms
MSAL: Finished [Oauth2Client] Sending GET request in 405 ms
MSAL: Starting [OAuth2Client] Deserializing response
MSAL: Finished [OAuth2Client] Deserializing response in 6 ms
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
MSAL: [Instance Discovery] After hitting the discovery endpoint, the network provider found an entry for login.microsoftonline.com ? True.
MSAL: Authority validation enabled? False.
MSAL: Authority validation - is known env? True.
MSAL: [Region discovery] Not using a regional authority.
MSAL: [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? True.
MSAL: [SaveTokenResponseAsync] Entering token cache semaphore. Count Real semaphore: True. Count: 1.
MSAL: [SaveTokenResponseAsync] Entered token cache semaphore.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL: [Microsoft.Identity.Client.Extensions] Before access
Acquiring lock for token cache
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL: [Microsoft.Identity.Client.Extensions] Before access, the store has changed
MSAL-Cache: Reading Data
MSAL-Cache: Reading from file
MSAL-Cache: Cache file exists? 'True'
MSAL-Cache: Read '3378' bytes from the file
MSAL-Cache: Unprotecting the data
MSAL-Cache: Got '3233' bytes from file storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL: [Microsoft.Identity.Client.Extensions] Read '3233' bytes from storage
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Microsoft.Identity.Client.Extensions] Deserializing the store
MSAL: [Internal cache] Clearing user token cache accessor.
MSAL: [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
MSAL: Not saving to ADAL legacy cache.
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 0
MSAL: [CalculateSuggestedCacheExpiry] No access tokens or refresh tokens found in the accessor. Not returning any expiration.
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access
MSAL: [Microsoft.Identity.Client.Extensions] After access
MSAL-Cache: [Microsoft.Identity.Client.Extensions] After access, cache in memory HasChanged
MSAL: [Microsoft.Identity.Client.Extensions] After access, cache in memory HasChanged
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 0
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL-Cache: [Microsoft.Identity.Client.Extensions] Serializing '3233' bytes
MSAL: [Microsoft.Identity.Client.Extensions] Serializing '3233' bytes
MSAL-Cache: Got '3233' bytes to write to storage
MSAL-Cache: Protecting the data
MSAL-Cache: Writing cache file
MSAL-Cache: Writing file without special permissions
MSAL-Cache: Released lock
MSAL: [Internal cache] Total number of cache partitions found while getting access tokens: 0
MSAL: [Internal cache] Total number of cache partitions found while getting refresh tokens: 0
MSAL: Total number of access tokens in cache: 0
Total number of refresh tokens in cache: 0
Token cache dump of the first 0 cache keys.
MSAL: [SaveTokenResponseAsync] Released token cache semaphore.
MSAL: Broker responded to silent request.
MSAL:
=== Token Acquisition finished successfully:
MSAL: AT expiration time: 9/09/2024 6:22:45 AM +00:00, scopes: 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/all 46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/.default. source: Broker
MSAL: Fetched access token from host login.microsoftonline.com.
MSAL:
[LogMetricsFromAuthResult] Cache Refresh Reason: NotApplicable
[LogMetricsFromAuthResult] DurationInCacheInMs: 21
[LogMetricsFromAuthResult] DurationTotalInMs: 594
[LogMetricsFromAuthResult] DurationInHttpInMs: 377
MSAL: TokenEndpoint: ****
HTTP: GET https://global.rel.tunnels.api.visualstudio.com/tunnels?includePorts=true&global=true&api-version=2023-09-27-preview&ownedTunnelsOnly=true
HTTP: Authorization: Bearer <token>
HTTP: User-Agent: Dev-Tunnels-Service-CLI/1.0.1249+67b1cd300c
HTTP: User-Agent: (OS:Microsoft Windows 10.0.22621)
HTTP: User-Agent: Dev-Tunnels-Service-CSharp-SDK/1.1.29+db5d357e46
HTTP: 401 Unauthorized (90 ms)
HTTP: Date: Mon, 09 Sep 2024 05:12:24 GMT
HTTP: Connection: keep-alive
HTTP: WWW-Authenticate: Bearer error="invalid_token"
HTTP: WWW-Authenticate: Bearer error="invalid_token", error_description="S2S17001: SAL was able to validate the protocol, but validation failed as none of the inbound policies were satisfied. Validation failures: 'AAD user inbound policy (prod): KeyWrapFailed'."
HTTP: RateLimit-Limit: ApiQueryRatePerIPAddress:1000/s
HTTP: RateLimit-Remaining: ApiQueryRatePerIPAddress:999
HTTP: RateLimit-Reset: ApiQueryRatePerIPAddress:1s
HTTP: X-Content-Type-Options: nosniff
HTTP: VsSaaS-Request-Id: 7ae9dd5d-7b81-4bae-a4bc-0e7beeddb109
HTTP: Strict-Transport-Security: max-age=31536000; includeSubDomains
HTTP: X-Served-By: tunnels-prod-rel-aue-v3-cluster
Tunnel service response status code: Unauthorized
Request ID: 7ae9dd5d-7b81-4bae-a4bc-0e7beeddb109
rabwill commented
Facing similar issue today OfficeDev/teams-toolkit#12352
jamwest commented
Exact same issue for me and coworkers
derekbekoe commented
We're looking into the issue affecting the Australia East (aue) region of dev tunnels.
Until we mitigate the issue in this region, this can be worked around by temporarily pointing to a different region of the dev tunnels service.
For example, devtunnel create --service-uri https://auc1.rel.tunnels.api.visualstudio.com
for Australia Central.
derekbekoe commented
We reverted the change that we believe caused this and verified functionality. Apologies for the inconvenience.