Comments (4)
Very interesting error indeed. BPRT in general works okay, just demoed it two weeks ago. Could you try again with -Verbose or -Debug switches to see details what's happening.
from aadinternals.
Sure thing. Here is the output. Yeah, I'm not sure what's going on. We've got a similar issue happening with WCD where it responds with an error saying "empty response". I've got a ticket open with the Azure support in hopes they can fix the WCD issue. Maybe that will fix my issue with AAD Internals token request.
PS C:\Users\user> New-AADIntBulkPRTToken -Name "package_$(new-guid)" -Verbose -Debug
DEBUG: PARSED ACCESS TOKEN:
aud : urn:ms-drs:enterpriseregistration.windows.net
iss : https://sts.windows.net/5290229c-d9f1-45dc-a0d4-XXXXXXXXXXXX/
iat : 1684173329
nbf : 1684173329
exp : 1684178442
acr : 1
aio : ATQAy/8TAAAAsQob8gr5D2ifOe6udkdCHKRftYYTx9hCsUwiDUZqZHsGe97mxabxTbW2iTcSffhi
amr : {pwd}
appid : 1b730954-1685-4b74-9bfd-XXXXXXXXXXXX
appidacr : 0
deviceid : e1b87443-6e45-47d2-9f03-XXXXXXXXXXXX
family_name : Morrow
given_name : Tony
groups : {cd8dec03-ec9f-4566-baf5-XXXXXXXXXXX, fc77fa73-3a32-4def-b41a-XXXXXXXXXXXX, 4e975bdc-8cd9-4a20-a8d3-XXXXXXXXXXXX, f74d260b-8696-4910-b6ba-XXXXXXXXXXXX...}
ipaddr : XXX.XXX.XXX.XXX
name : Tony Morrow
oid : 579d89af-30d7-4730-8882-XXXXXXXXXXXX
onprem_sid : S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX
puid : 10033FFF84E411AE
rh : 0.AQgAnCKQUvHZ3EWg1CY3kPcx-nYoywG9fqRKnMnSi9TTWakIAKk.
scp : policy_management
sub : _RCO7bcaq6yd-URt9q7v95-yATBAkub5NeOWuwnPavo
tenant_region_scope : NA
tid : 5290229c-d9f1-45dc-a0d4-XXXXXXXXXXXX
unique_name : [email protected]
upn : [email protected]
uti : OKkrDaN93Ui911ER4MVFAA
ver : 1.0
wids : {5d6b6bb7-de71-4623-b4af-XXXXXXXXXXXX, 3a2c62db-5318-420d-8d74-XXXXXXXXXXXX, 38a96431-2bdf-4b4c-8b6e-XXXXXXXXXXXX, b79fbf4d-3ef9-4689-8143-XXXXXXXXXXXX}
xms_sk : true
xms_sptype : 0
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): y
VERBOSE: POST https://login.microsoftonline.com/webapp/bulkaadjtoken/begin with -1-byte payload
VERBOSE: received 343-byte response of content type application/json; charset=utf-8
VERBOSE: GET
https://login.microsoftonline.com/webapp/bulkaadjtoken/poll?flowToken=AQABAAEAAAD--DLA3VO7QrddgJg7Wevra-ffcK6vXdLYnBmGBB3FWXXs4x6SZBcoknOMVsYoo4yGOHK8UBLCfqYRt0ekRWpjJOow9trO76pFeKZbK8ZGgWfuNOktgj8BsYFwnz5ISdiM8qPwz-drFL7YBxaRQ7vuRDgtsu9xo4E-h5PmJ7m-9-iaqKLQllYXrHf17Kh-oMIMl_CdscAeyiY9U7yT1H-b4YHsA_uIDMTxZfG-bDwJH31FHHCO7ZNrVk4cIwif6xcBizDChhvg_HvgGO655VTVIAA with 0-byte payload
VERBOSE: received 927-byte response of content type application/json; charset=utf-8
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated
user."},"requestId":"02dd5168-9c20-4c40-82a6-023f832ef1ae","date":"2023-05-15T18:02:15","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: a2a38a26-3534-4a7c-9a8e-5b9b346b4000
Correlation ID: 84864403-bedb-4c4d-b724-e4a4f7fb8f7f
Timestamp: 2023-05-15 18:02:15Z
At C:\Users\user\Documents\WindowsPowerShell\Modules\AADInternals\0.8.1\PRT.ps1:1724 char:13
+ throw $details.error_description
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (AADSTS650051: {...05-15 18:02:15Z:String) [], RuntimeException
+ FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required property for creation of a federated user."},"requestId":"02dd5168-9c20-4c40-82a6-023f832ef1ae","date":"2023-05-15T18:02:1 5","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}}
Trace ID: a2a38a26-3534-4a7c-9a8e-5b9b346b4000
Correlation ID: 84864403-bedb-4c4d-b724-e4a4f7fb8f7f
Timestamp: 2023-05-15 18:02:15Z
from aadinternals.
I'm also getting this too, I generated a BPRT about 3-4 months using AADInternals without issue. Tried to regenerate it today and I'm getting the exact same output error. From the looks of the error it seems that the SourceAnchor value is required for the generation of the AAD user that is created with the package_{GUID}.
Is there a way to insert this value into the command?
Here is a -Verbose and -Debug output of my command (I'm aware it's running with version 0.7.8, but the problem is also present is 0.8.2):
PS C:\Users\john.doe> $bprt = New-AADIntBulkPRTToken -Name "AAD_Joiner_Token" -Verbose -Debug
DEBUG: PARSED ACCESS TOKEN:
aud : urn:ms-drs:enterpriseregistration.windows.net
iss : https://sts.windows.net/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/
iat : 1684321176
nbf : 1684321176
exp : 1684325076
acr : 1
aio :
AVQAq/8TAAAA5kz1vmWvOpJuXVedwVjG1w5/HLzNfN45YJ5+NbqXnyXwV5/Scdz5zfnAoE5Cqd8GTrOUyWBaTijCg6l4wONso
HanCKkOjonpeK2UV9yPitI=
amr : {pwd, mfa}
appid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
appidacr : 0
deviceid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
family_name : Doe
given_name : John
groups : {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,
XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX...}
ipaddr : XXX.XXX.XXX.XXX
name : John Doe
oid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
onprem_sid : S-1-5-21-XXXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXXX-XXXX
puid : 100300009F48D725
rh : 0.AQwAjLgeeqQXnk-t-11BVU6tsXYoywG9fqRKnMnSi9TTWamWABY.
scp : policy_management
sub : XG_SNxELJN0kQwsVWO0zq7pC-WI_1RepG9_r28Gm4dA
tenant_region_scope : EU
tid : XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
unique_name : [email protected]
upn : [email protected]
uti : 7pUzUgsev0yphNowcFpzAA
ver : 1.0
wids : {XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,
XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX, XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX...}
xms_sk : true
xms_sptype : 0
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): Y
VERBOSE: POST with -1-byte payload
VERBOSE: received 322-byte response of content type application/json; charset=utf-8
VERBOSE: GET with 0-byte payload
VERBOSE: received 927-byte response of content type application/json; charset=utf-8
WARNING: Got unauthorized_client error. Please try again.
AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"SourceAnchor is a required
property for creation of a federated user."},"requestId":"d350aa9f-1949-472f-87b6-eb07c496e666","date":"2023-05-17T11:1
5:41","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyErrorCode","value":"PropertyRequired"}]}
}
Trace ID: 167abd5c-68be-4f65-acf1-d5189a8e4200
Correlation ID: 6bba4aa6-c2fa-4273-817a-096d3f023e95
Timestamp: 2023-05-17 11:15:41Z
At C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.7.8\PRT.ps1:1724 char:13
+ throw $details.error_description
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (AADSTS650051: {...05-17 11:15:41Z:String) [], RuntimeException
+ FullyQualifiedErrorId : AADSTS650051: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value"
:"SourceAnchor is a required property for creation of a federated user."},"requestId":"d350aa9f-1949-472f-87b6-eb0
7c496e666","date":"2023-05-17T11:15:41","values":[{"item":"PropertyName","value":"immutableId"},{"item":"PropertyE
rrorCode","value":"PropertyRequired"}]}}
Trace ID: 167abd5c-68be-4f65-acf1-d5189a8e4200
Correlation ID: 6bba4aa6-c2fa-4273-817a-096d3f023e95
Timestamp: 2023-05-17 11:15:41Z
from aadinternals.
I got a response from Microsoft regarding my issue with bulk token requests through WCD. It is caused by our tenant authentication using Federated and us testing password hash sync authentication through AAD Connect's staged rollout feature. My account is one of those being tested.
This is the full response:
"The opeartion returned empty response. Please try again" The error can occur if the account you use to authenticate with AAD when you click Get Bulk Token is user account is enabled for Seamless SSO staged rollout, which means it's treated as a managed user for authetication purposes and beacuse of that bulk endpoint incorrectly determines that domain the user is in as anaged. Which causes an error when creating a pseudo user account in the domain to represent the bulk token.
Federated user accounts enabled for staged rollout will not work for retrieval of bulk tokens.Workarounds:
• Kindly use the user account not enabled for staged SSO
• Please try creating a new user account or use a different managed user account to generate the provisioning package.
I had one of our other administrators who's not in the SSO test try WCD and AAD Internals, and they were able to successfully request a bulk token with both tools.
Sounds like this issue can be closed since I know the source of the problem.
from aadinternals.
Related Issues (20)
- Possible authentication issue with “TROOPERS23 edition”. HOT 1
- Dependencies - List HOT 1
- Install getting blocked by AV HOT 1
- Get MFA token HOT 1
- Allow suppression of import-module message HOT 2
- Add Support for SQL(Express) for Get-AADIntSyncCredentials HOT 1
- Authentication issue after updating to 0.9.1 HOT 3
- Support AAD device token flows
- aadsync_client_build = 1.5.29.0 broken
- Cannot login to tenant with Get-AADIntAccessTokenForAADGraph HOT 1
- Does AADInternals works in macOS?
- Incompatible parameter sets in Open-AADIntOffice365Portal
- KeySignTest : FAILED (transport key) HOT 1
- AccessToken_utils.ps1 - ConvergedProofUpRedirect HOT 1
- Create-LoginForm
- Open-AADIntOWA - Windows.Forms.Form and Clear-WebBrowser
- get-aadintaccesstokenForAADgraph: Error You cannot call a method on a null-valued expression. HOT 2
- 2 bugs in New-AADIntP2PDeviceCertificate, function seems currently broken
- Get-AADIntAccessToken not working anymore HOT 1
- Cannot install AADInternals on Mac because Bitdefender finds virus HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aadinternals.