AADSTS900382: Confidential Client is not supported in Cross Cloud request.

Question

AADSTS900382: Confidential Client is not supported in Cross Cloud request.

daryltucker opened this issue 2 years ago · 3 comments

v1.0.6

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS900382: Confidential Client is not supported in Cross Cloud request.

I've looked at this documentation and set "Application settings" of the target App Service:

letsencrypt:AzureAuthenticationEndpoint       https://login.microsoftonline.us/
letsencrypt:AzureTokenAudience                https://management.core.usgovcloudapi.net/
letsencrypt:AzureManagementEndpoint           https://management.usgovcloudapi.net/
letsencrypt:AzureDefaultWebSiteDomainName     azurewebsites.us

Please let me know if I've gotten one of these values incorrect, or if there is something I can do to try to get this working somewhere other than AzureCloud.

#399
#301
#203

azureothercloud: https://github.com/sjkp/letsencrypt-siteextension/wiki/Azure-Germany,-US-or-China

Answer 1 · 2022-08-02T21:45:53.000Z

$ az cloud show --name AzureUSGovernment
{
  "endpoints": {
    "activeDirectory": "https://login.microsoftonline.us",
    "activeDirectoryDataLakeResourceId": null,
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "activeDirectoryResourceId": "https://management.core.usgovcloudapi.net/",
    "appInsightsResourceId": "https://api.applicationinsights.us",
    "appInsightsTelemetryChannelResourceId": "https://dc.applicationinsights.us/v2/track",
    "attestationResourceId": null,
    "azmirrorStorageAccountResourceId": null,
    "batchResourceId": "https://batch.core.usgovcloudapi.net/",
    "gallery": "https://gallery.usgovcloudapi.net/",
    "logAnalyticsResourceId": "https://api.loganalytics.us",
    "management": "https://management.core.usgovcloudapi.net/",
    "mediaResourceId": "https://rest.media.usgovcloudapi.net",
    "microsoftGraphResourceId": "https://graph.microsoft.us/",
    "ossrdbmsResourceId": "https://ossrdbms-aad.database.usgovcloudapi.net",
    "portal": "https://portal.azure.us",
    "resourceManager": "https://management.usgovcloudapi.net/",
    "sqlManagement": "https://management.core.usgovcloudapi.net:8443/",
    "synapseAnalyticsResourceId": "https://dev.azuresynapse.usgovcloudapi.net",
    "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/main/arm-compute/quickstart-templates/aliases.json"
  },
  "isActive": true,
  "name": "AzureUSGovernment",
  "profile": "latest",
  "suffixes": {
    "acrLoginServerEndpoint": ".azurecr.us",
    "attestationEndpoint": null,
    "azureDatalakeAnalyticsCatalogAndJobEndpoint": null,
    "azureDatalakeStoreFileSystemEndpoint": null,
    "keyvaultDns": ".vault.usgovcloudapi.net",
    "mariadbServerEndpoint": ".mariadb.database.usgovcloudapi.net",
    "mhsmDns": ".managedhsm.usgovcloudapi.net",
    "mysqlServerEndpoint": ".mysql.database.usgovcloudapi.net",
    "postgresqlServerEndpoint": ".postgres.database.usgovcloudapi.net",
    "sqlServerHostname": ".database.usgovcloudapi.net",
    "storageEndpoint": "core.usgovcloudapi.net",
    "storageSyncEndpoint": "afs.azure.us",
    "synapseAnalyticsEndpoint": ".dev.azuresynapse.usgovcloudapi.net"
  }
}

Answer 2 · 2022-08-02T21:56:43.000Z

Ah, the values were correct. They must be set as "Deployment slot settings".

Answer 3 · 2023-05-10T07:35:09.000Z

China:

letsencrypt:AzureAuthenticationEndpoint

letsencrypt:AzureTokenAudience

letsencrypt:AzureManagementEndpoint

letsencrypt:AzureDefaultWebSiteDomainName