Giter Site home page Giter Site logo

Comments (4)

NestoriSyynimaa avatar NestoriSyynimaa commented on June 19, 2024

Very interesting error indeed. BPRT in general works okay, just demoed it two weeks ago. Could you try again with -Verbose or -Debug switches to see details what's happening.

from aadinternals.

amorrowbellarmine avatar amorrowbellarmine commented on June 19, 2024

Sure thing. Here is the output. Yeah, I'm not sure what's going on. We've got a similar issue happening with WCD where it responds with an error saying "empty response". I've got a ticket open with the Azure support in hopes they can fix the WCD issue. Maybe that will fix my issue with AAD Internals token request.

PS C:\Users\user> New-AADIntBulkPRTToken -Name "package_$(new-guid)" -Verbose -Debug
DEBUG: PARSED ACCESS TOKEN:

aud                 : urn:ms-drs:enterpriseregistration.windows.net
iss                 : https://sts.windows.net/5290229c-d9f1-45dc-a0d4-XXXXXXXXXXXX/
iat                 : 1684173329
nbf                 : 1684173329
exp                 : 1684178442
acr                 : 1
aio                 : ATQAy/8TAAAAsQob8gr5D2ifOe6udkdCHKRftYYTx9hCsUwiDUZqZHsGe97mxabxTbW2iTcSffhi
amr                 : {pwd}
appid               : 1b730954-1685-4b74-9bfd-XXXXXXXXXXXX
appidacr            : 0
deviceid            : e1b87443-6e45-47d2-9f03-XXXXXXXXXXXX
family_name         : Morrow
given_name          : Tony
groups              : {cd8dec03-ec9f-4566-baf5-XXXXXXXXXXX, fc77fa73-3a32-4def-b41a-XXXXXXXXXXXX, 4e975bdc-8cd9-4a20-a8d3-XXXXXXXXXXXX, f74d260b-8696-4910-b6ba-XXXXXXXXXXXX...}
ipaddr              : XXX.XXX.XXX.XXX
name                : Tony Morrow
oid                 : 579d89af-30d7-4730-8882-XXXXXXXXXXXX
onprem_sid          : S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX
puid                : 10033FFF84E411AE
rh                  : 0.AQgAnCKQUvHZ3EWg1CY3kPcx-nYoywG9fqRKnMnSi9TTWakIAKk.
scp                 : policy_management
sub                 : _RCO7bcaq6yd-URt9q7v95-yATBAkub5NeOWuwnPavo
tenant_region_scope : NA
tid                 : 5290229c-d9f1-45dc-a0d4-XXXXXXXXXXXX
unique_name         : [email protected]
upn                 : [email protected]
uti                 : OKkrDaN93Ui911ER4MVFAA
ver                 : 1.0
wids                : {5d6b6bb7-de71-4623-b4af-XXXXXXXXXXXX, 3a2c62db-5318-420d-8d74-XXXXXXXXXXXX, 38a96431-2bdf-4b4c-8b6e-XXXXXXXXXXXX, b79fbf4d-3ef9-4689-8143-XXXXXXXXXXXX}
xms_sk              : true
xms_sptype          : 0




Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): y
VERBOSE: POST https://login.microsoftonline.com/webapp/bulkaadjtoken/begin with -1-byte payload
VERBOSE: received 343-byte response of content type application/json; charset=utf-8
VERBOSE: GET
https://login.microsoftonline.com/webapp/bulkaadjtoken/poll?flowToken=AQABAAEAAAD--DLA3VO7QrddgJg7Wevra-ffcK6vXdLYnBmGBB3FWXXs4x6SZBcoknOMVsYoo4yGOHK8UBLCfqYRt0ekRWpjJOow9trO76pFeKZbK8ZGgWfuNOktgj8BsYFwnz5ISdiM8qPwz-drFL7YBxaRQ7vuRDgtsu9xo4E-h5PmJ7m-9-iaqKLQllYXrHf17Kh-oMIMl_CdscAeyiY9U7yT1H-b4YHsA_uIDMTxZfG-bDwJH31FHHCO7ZNrVk4cIwif6xcBizDChhvg_HvgGO655VTVIAA with 0-byte payload
VERBOSE: received 927-byte response of content type application/json; charset=utf-8
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated
user."},"requestId":"02dd5168-9c20-4c40-82a6-023f832ef1ae","date":"2023-05-15T18:02:15","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: a2a38a26-3534-4a7c-9a8e-5b9b346b4000
Correlation ID: 84864403-bedb-4c4d-b724-e4a4f7fb8f7f
Timestamp: 2023-05-15 18:02:15Z
At C:\Users\user\Documents\WindowsPowerShell\Modules\AADInternals\0.8.1\PRT.ps1:1724 char:13
+             throw $details.error_description
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (AADSTS650051: {...05-15 18:02:15Z:String) [], RuntimeException
    + FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"02dd5168-9c20-4c40-82a6-023f832ef1ae","date":"2023-05-15T18:02:1   5","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: a2a38a26-3534-4a7c-9a8e-5b9b346b4000
Correlation ID: 84864403-bedb-4c4d-b724-e4a4f7fb8f7f
Timestamp: 2023-05-15 18:02:15Z

from aadinternals.

Kyawn88 avatar Kyawn88 commented on June 19, 2024

I'm also getting this too, I generated a BPRT about 3-4 months using AADInternals without issue. Tried to regenerate it today and I'm getting the exact same output error. From the looks of the error it seems that the SourceAnchor value is required for the generation of the AAD user that is created with the package_{GUID}.

Is there a way to insert this value into the command?

Here is a -Verbose and -Debug output of my command (I'm aware it's running with version 0.7.8, but the problem is also present is 0.8.2):

PS C:\Users\john.doe> $bprt = New-AADIntBulkPRTToken -Name "AAD_Joiner_Token" -Verbose -Debug
DEBUG: PARSED ACCESS TOKEN:

aud                 : urn:ms-drs:enterpriseregistration.windows.net
iss                 : https://sts.windows.net/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/
iat                 : 1684321176
nbf                 : 1684321176
exp                 : 1684325076
acr                 : 1
aio                 :
AVQAq/8TAAAA5kz1vmWvOpJuXVedwVjG1w5/HLzNfN45YJ5+NbqXnyXwV5/Scdz5zfnAoE5Cqd8GTrOUyWBaTijCg6l4wONso
                      HanCKkOjonpeK2UV9yPitI=
amr                 : {pwd, mfa}
appid               : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
appidacr            : 0
deviceid            : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
family_name         : Doe
given_name          : John
groups              : {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,
                      XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX...}
ipaddr              : XXX.XXX.XXX.XXX
name                : John Doe
oid                 : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
onprem_sid          : S-1-5-21-XXXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXXX-XXXX
puid                : 100300009F48D725
rh                  : 0.AQwAjLgeeqQXnk-t-11BVU6tsXYoywG9fqRKnMnSi9TTWamWABY.
scp                 : policy_management
sub                 : XG_SNxELJN0kQwsVWO0zq7pC-WI_1RepG9_r28Gm4dA
tenant_region_scope : EU
tid                 : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
unique_name         : [email protected]
upn                 : [email protected]
uti                 : 7pUzUgsev0yphNowcFpzAA
ver                 : 1.0
wids                : {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,
                      XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX...}
xms_sk              : true
xms_sptype          : 0




Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): Y
VERBOSE: POST with -1-byte payload
VERBOSE: received 322-byte response of content type application/json; charset=utf-8
VERBOSE: GET with 0-byte payload
VERBOSE: received 927-byte response of content type application/json; charset=utf-8
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required
property for creation of a federated user."},"requestId":"d350aa9f-1949-472f-87b6-eb07c496e666","date":"2023-05-17T11:1
5:41","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}
}
Trace ID: 167abd5c-68be-4f65-acf1-d5189a8e4200
Correlation ID: 6bba4aa6-c2fa-4273-817a-096d3f023e95
Timestamp: 2023-05-17 11:15:41Z
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.7.8\PRT.ps1:1724 char:13
+             throw $details.error_description
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (AADSTS650051: {...05-17 11:15:41Z:String) [], RuntimeException
    + FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value"
   :"SourceAnchor is a required property for creation of a federated user."},"requestId":"d350aa9f-1949-472f-87b6-eb0
  7c496e666","date":"2023-05-17T11:15:41","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyE
 rrorCode","value":"PropertyRequired"}]}}
Trace ID: 167abd5c-68be-4f65-acf1-d5189a8e4200
Correlation ID: 6bba4aa6-c2fa-4273-817a-096d3f023e95
Timestamp: 2023-05-17 11:15:41Z

from aadinternals.

amorrowbellarmine avatar amorrowbellarmine commented on June 19, 2024

I got a response from Microsoft regarding my issue with bulk token requests through WCD. It is caused by our tenant authentication using Federated and us testing password hash sync authentication through AAD Connect's staged rollout feature. My account is one of those being tested.

This is the full response:

"The opeartion returned empty response. Please try again" The error can occur if the account you use to authenticate with AAD when you click Get Bulk Token is user account is enabled for Seamless SSO staged rollout, which means it's treated as a managed user for authetication purposes and beacuse of that bulk endpoint incorrectly determines that domain the user is in as anaged. Which causes an error when creating a pseudo user account in the domain to represent the bulk token.
Federated user accounts enabled for staged rollout will not work for retrieval of bulk tokens.

Workarounds:

• Kindly use the user account not enabled for staged SSO
• Please try creating a new user account or use a different managed user account to generate the provisioning package.

I had one of our other administrators who's not in the SSO test try WCD and AAD Internals, and they were able to successfully request a bulk token with both tools.

Sounds like this issue can be closed since I know the source of the problem.

from aadinternals.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.