Diagnosing error: ClientAuthError: network_error: Network request failed

Question

Diagnosing error: ClientAuthError: network_error: Network request failed

Closed this issue 13 days ago · 16 comments

I am trying to use m365 in a corporate environment with a complex pac file for the proxy.

I believe I've set the proxy right, but I may not have.

We are receiving the following error when trying to login and would appreciate any guidance on how to work out the root cause. personal information is redacted, but the username/password is definitely correct:

U:\>m365 login --tenant "MyTenant" --authType password -u "MyUserName" -p "MyPassword" --debug

Executing command login with options {"options":{"tenant":"MyTenant","authType":"password","userName":"MyYserBane","password":"MyPassword","debug":true,"output":"json"}}
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com.
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Info - getTokenCache called
Retrieving new access token using credentials...
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Info - acquireTokenByUsernamePassword called
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - initializeRequestScopes called
[Tue, 18 Jun 2024 05:46:53 GMT] : [e04c8515-6659-44af-800d-910fc18f18f2] : @azure/msal-node@2.7.0 : Verbose - buildOauthClientConfiguration called
[Tue, 18 Jun 2024 05:46:53 GMT] : [e04c8515-6659-44af-800d-910fc18f18f2] : @azure/msal-node@2.7.0 : Verbose - createAuthority called
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Attempting to get cloud discovery metadata  from authority configuration
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Found cloud discovery metadata from hardcoded values.
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Attempting to get endpoint metadata from authority configuration
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Replacing tenant domain name MYTENANT with id {tenantid}
[Tue, 18 Jun 2024 05:46:53 GMT] : [e04c8515-6659-44af-800d-910fc18f18f2] : @azure/msal-node@2.7.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/MYTENANT/oauth2/v2.0/token.
[Tue, 18 Jun 2024 05:46:53 GMT] : [e04c8515-6659-44af-800d-910fc18f18f2] : @azure/msal-node@2.7.0 : Verbose - Username password client created
[Tue, 18 Jun 2024 05:46:53 GMT] : [e04c8515-6659-44af-800d-910fc18f18f2] : @azure/msal-common@14.9.0 : Info - in acquireToken call in username-password client
[Tue, 18 Jun 2024 05:46:53 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Replacing tenant domain name MYTENANT with id {tenantid}
Error:
ClientAuthError: network_error: Network request failed
    at createClientAuthError (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/node_modules/@azure/msal-common/dist/error/ClientAuthError.mjs:255:12)
    at NetworkManager.sendPostRequest (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/node_modules/@azure/msal-common/dist/network/NetworkManager.mjs:35:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async UsernamePasswordClient.executePostToTokenEndpoint (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/node_modules/@azure/msal-common/dist/client/BaseClient.mjs:79:26)
    at async UsernamePasswordClient.acquireToken (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/UsernamePasswordClient.mjs:25:26)
    at async PublicClientApplication.acquireTokenByUsernamePassword (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/node_modules/@azure/msal-node/dist/client/ClientApplication.mjs:169:20)
    at async Auth.ensureAccessToken (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/dist/Auth.js:193:26)
    at async login (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:74:17)
    at async LoginCommand.commandAction (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:92:9)
    at async LoginCommand.action (file:///C:/Users/MyLanId/AppData/Roaming/npm/node_modules/@pnp/cli-microsoft365/dist/m365/commands/login.js:102:9) {
  errorCode: 'network_error',
  errorMessage: 'Network request failed',
  subError: '',
  correlationId: 'e04c8515-6659-44af-800d-910fc18f18f2'
}

Answer 1 · 2024-06-18T07:11:19.000Z

Hi @scberr
If I read it correctly, you are trying to use CLI behind a corporate proxy? Have you tried following this guide?

Answer 2 · 2024-06-18T12:29:55.000Z

Thank you for the response. I've read that documentation but the proxy we have uses a very complex pac file.

It's unclear from the error message if the issue is

A. we've extracted the proxy server incorrectly from the pac file and m365 can't connect to login.microsoftonline.com

Or B. There is a successful connection being made but there is a failure performing the OAuth login process.

Can you tell from the error what is going on?

Answer 3 · 2024-06-19T22:24:41.000Z

@waldekmastykarz, if I'm not mistaken, you added/reviewed this functionality. Do you have an idea what could be wrong?

Answer 4 · 2024-06-20T06:42:47.000Z

At the moment, we don't support pac files. We only support specifying the proxy through environment variables, like @milanholemans mentioned. Following the stack trace of the error you shared with us, it seems like MSAL (which CLI uses for authentication) can't connect with Microsoft Entra, which would indicate connectivity rather than auth issues. If you could share with us some more info about what you've done, being mindful of not sharing anything sensitive, then perhaps we could debug the issue together.

Answer 5 · 2024-06-21T04:13:08.000Z

Thank you for your assistance. We're going to do some more diagnosis and reverse engineering of the pac file to see if we can identify the root cause. From the extra info you provided it's almost certainly a proxy issue. There are over 40 different proxy servers/rules in the pac file though.

I'll update this ticket with the outcome, it will take a bit of time next week.

Answer 6 · 2024-08-07T20:49:08.000Z

Hello, I am getting the same error. Please lmk what could be the issue. -

Answer 7 · 2024-08-08T04:16:31.000Z

As per Fiddler Log we are getting 502 Error along with below Response.

Response:
HTTP/1.1 502 Fiddler - Connection Failed
Date: Wed, 07 Aug 2024 12:17:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache, must-revalidate
Timestamp: 22:17:51.808

[Fiddler] The connection to 'localhost' failed.
Error: ConnectionRefused (0x274d).
System.Net.Sockets.SocketException No connection could be made because the target machine actively refused it 127.0.0.1:12588

Answer 8 · 2024-08-08T04:18:17.000Z

Kindly find the Request Details below:
GET http://localhost:12588/favicon.ico HTTP/1.1
Host: localhost:12588
Connection: keep-alive
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: http://localhost:12588/?code=************************************************************************************
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Answer 9 · 2024-08-08T04:22:29.000Z

Getting Failed in

~~Request Details with Proxy {
host: '127.0.0.1',
port: '3128',
method: 'CONNECT',
path: 'login.microsoftonline.com',
headers: { 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' }
}

Response Error in MSAL:
Error: Error connecting to proxy. Http status code: 400. Http status message: Bad Request

Also I have Update the Corporate Proxy URL in HTTP_PROXY & HTTPS_PROXY in Environment Variable it retuning the same result.

Answer 10 · 2024-08-08T13:56:02.000Z

We are trying to send the proxy like in this example. Here is the code implementation too. The same request is working in postman with same proxy but not working through code. Please give me an example of how to send the proxy in the request const msal = ***@***.***/msal-node"); const LogLevel = ***@***.***/msal-node"); const https = require("https"); const msalConfig = { auth: { clientId: "clientid", clientSecret: "seceret", authority: authorityUrl }, system: { loggerOptions: { loggerCallback(loglevel, message, containsPii) { console.log(message); }, piiLoggingEnabled: false, logLevel: msal.LogLevel.Verbose, }, proxyUrl:url, // customAgentOptions:{} }, }; const cca = new msal.ConfidentialClientApplication(msalConfig); console.log("cca ******** this is cca", cca); const tokenRequest = { scopes:[scope], }; async function getToken() { try { const tokenResponse = await cca.acquireTokenByClientCredential( tokenRequest ); console.log("tokenResponse ****** this is token rewsponse ", tokenResponse); if (tokenResponse && tokenResponse.accessToken) { return tokenResponse.accessToken; } else { throw new Error("Failed to acquire access token"); } } catch (error) { console.log("error", error); throw new Error("Error retrieving access token: " + error); } } getToken(); From: Sendrayan ***@***.***> Date: Wednesday, August 7, 2024 at 11:22 PM To: pnp/cli-microsoft365 ***@***.***> Cc: Polkampally, Sindhuja ***@***.***>, Comment ***@***.***> Subject: [EXTERNAL] Re: [pnp/cli-microsoft365] Diagnosing error: ClientAuthError: network_error: Network request failed (Issue #6092) [WARNING] Use caution when opening attachments or links from unknown senders. Getting Failed in ~~Request Details with Proxy { host: '127.0.0.1', port: '3128', method: 'CONNECT', path: 'login.microsoftonline.com', headers: { 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } } Response Error in MSAL: Error: Error connecting to proxy. Http status code: 400. Http status message: Bad Request Also I have Update the Corporate Proxy URL in HTTP_PROXY & HTTPS_PROXY in Environment Variable it retuning the same result.

Answer 11 · 2024-08-08T18:24:46.000Z

Are you also using a PAC-file @sindhujausbank?

Answer 12 · 2024-08-08T18:27:53.000Z

No, I am not. I am trying to understand why postman call works and not through the code when it is using the same proxy. Can you please send me an example code of how to send proxy in the code above

…

________________________________ From: Milan Holemans ***@***.***> Sent: Thursday, August 8, 2024 1:25:08 PM To: pnp/cli-microsoft365 ***@***.***> Cc: Polkampally, Sindhuja ***@***.***>; Mention ***@***.***> Subject: [EXTERNAL] Re: [pnp/cli-microsoft365] Diagnosing error: ClientAuthError: network_error: Network request failed (Issue #6092) [WARNING] Use caution when opening attachments or links from unknown senders. Are you also using a PAC-file

Answer 13 · 2024-08-09T10:36:46.000Z

Hey @sindhujausbank, it seems like you're building a custom app. This issue list focuses on supporting CLI for Microsoft 365. For generic auth questions, please submit your issue to the MSAL repo at https://github.com/AzureAD/microsoft-authentication-library-for-js.

Answer 14 · 2024-08-09T12:38:16.000Z

I built a custom app with the code I shared. Right now, for testing Purposes, the project just has the code to get the access token

…

________________________________ From: Waldek Mastykarz ***@***.***> Sent: Friday, August 9, 2024 5:37:09 AM To: pnp/cli-microsoft365 ***@***.***> Cc: Polkampally, Sindhuja ***@***.***>; Mention ***@***.***> Subject: [EXTERNAL] Re: [pnp/cli-microsoft365] Diagnosing error: ClientAuthError: network_error: Network request failed (Issue #6092) [WARNING] Use caution when opening attachments or links from unknown senders. Hey @sindhujausbank<https://urldefense.com/v3/__https://github.com/sindhujausbank__;!!GRBPSLYk!9xXYKMQGdRNQgtVqKATe_GJ9lm4qcqdX3GObqerAma12ZpQFH7TZwrVKdoC1rf1nUdatDoSTzuxABkDdI3mGWIh8WcIfotYp$> are you using CLI for M365 or building a custom app? If you use the CLI, could you please share with us what you've configured, how are you starting the CLI and what error you're seeing? It'll help us understand what's wrong. — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https://github.com/pnp/cli-microsoft365/issues/6092*issuecomment-2277656962__;Iw!!GRBPSLYk!9xXYKMQGdRNQgtVqKATe_GJ9lm4qcqdX3GObqerAma12ZpQFH7TZwrVKdoC1rf1nUdatDoSTzuxABkDdI3mGWIh8WenN3dl3$>, or unsubscribe<https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/BKMNJQM5O4A5NQRCC4WRQV3ZQSLVLAVCNFSM6AAAAABJPJYDF2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY2TMOJWGI__;!!GRBPSLYk!9xXYKMQGdRNQgtVqKATe_GJ9lm4qcqdX3GObqerAma12ZpQFH7TZwrVKdoC1rf1nUdatDoSTzuxABkDdI3mGWIh8WerIkydH$>. You are receiving this because you were mentioned.Message ID: ***@***.***> U.S. BANCORP made the following annotations

--------------------------------------------------------------------- Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.

---------------------------------------------------------------------

Answer 15 · 2024-09-17T05:54:49.000Z

Closing due to lack of further comments from the OP

Answer 16 · 2024-09-18T14:53:23.000Z

We have the same problem with node-msal. A normal client credential request fails with

Handling error AuthenticationRequiredError: network_error: Network request failed

There are no network issues, a manual post with cli/postman has no problems, it's just the msal-node library.

Using Node 20 with pnpm.